SN 1052: Global Cellphone Tracking - Checkout.com Fights Back

[00:00:00] It's time for Security Now. Steve Gibson is here. Apple has added a new digital ID inside its wallet. You can even put your passport in there. I think we're getting closer and closer to secure age verification via Apple. Steve will talk about that. Google backpedals on their demand that all developers for Android phones must register with Google. Russia is tracking SIM card appearances. Google is suing a Chinese phishing as a service platform.

[00:00:28] And then we'll talk about how it's almost impossible if you have a cell phone not to be tracked. It doesn't require malware. All that and more coming up next on Security Now. Podcasts you love. From people you trust. This is TWIT.

[00:00:52] Podcasts you love. This is Security Now with Steve Gibson. Episode 1052. Recorded Tuesday, November 18th, 2025. Global Cellphone Tracking. It's time for Security Now. Oh, everybody been waiting all week long to see this cat right here. Mr. Steve Tiberius Gibson, host to the show and our expert on security, privacy and all good things. Hello, Steve.

[00:01:20] Hey, Leo. Great to be with you for episode 1052. I heard that Mac break is about to go to the 1000. Yes, we're catching up with you. And they weren't worried about stopping at 999. So there was none of that. There was none of that anxiety. So that would say since we're at 1052 that they started exactly one year after. Oh, that's right. We did.

[00:01:43] Yes. Assuming we do 52 shows a year. And I think we were a few months after the main TWIT podcast. Right. So that's right. And I think I was number two. Security Now is the second one. I can't. I'm not sure where TWIT is these days. It's just a little ahead of you, I guess. And actually, the topic of my passport and our meeting in Toronto comes up today on today's podcast.

[00:02:04] Oh, for reasons that you will soon. Oh, I look forward to that long with our listeners. Oh, we're going to talk about we're going to talk about something that was that actually began with a with a pointer from a listener in feedback from our listeners, which again, I was like so valuable to me.

[00:02:25] And I gave it a scan. And part of what it said just sucked me in because I thought, oh, this is such a perfect topic for us to talk about.

[00:02:38] Today, we're going to talk about global cell phone tracking and why it's not about Pegasus or the NGO group or any of these high end malware spyware people that Apple is trying to get rid of. And there's nothing Apple can do about this or Google or Samsung or anybody.

[00:03:01] It is far more pervasive than than we have previously understood. And it's available commercially as a service and having the crap abused out of it. Oh, yeah. So a great topic. But we're going to talk about Apple's introduction of their new digital ID, which is something that just happened on Wednesday.

[00:03:27] I got a pop up note on my phone, which is which was when Apple announced it. So we'll cover that. Also, check out dot com refusing to pay a ransom demand and what they're going to do instead with the equivalent amount of money. Google's announcement of their private AI compute in the cloud. Should we trust it or what? We'll kind of put that in context.

[00:03:51] Also, they're backpedaling surprise on their all devs must register demand. It's not dying completely, but they got so much pushback from the world. I mean, we've talked about it and raped them a little bit here. You know, and there was a whole F droid problem. I mean, it was just going to be a problem. So we'll update on where they are. Windows 11 with the November update has added a pass keys API.

[00:04:18] And Leo, wouldn't you know, the top two password managers that are both supporters of the podcast are the only two which currently support the API at its release. Really? Yeah. So we're choosing well is all I'm saying. Yes. And our listeners are, of course, as well. Russia, it turns out, is tracking. This is really kind of clever.

[00:04:42] SIM card appearances within their borders as a means of thwarting their abuse for drone attacks, which kind of ties back into this global cell phone tracking topic. So we're going to get into that. Also, Google is suing a Chinese phishing as a service platform where those are the main highlights. Although we're going to then get into some listener feedback, which leads me down some interesting trails.

[00:05:12] So we'll do that and then wrap up by talking about something that I wasn't aware was going on. And it turns out lots of actual cell phone providers were not either. Old technology, the oldest, which is under continuous use and abuse. So I think another great podcast for our listeners for this 1052 episode. And we do have a fun picture of the week.

[00:05:40] So I think I have maybe I have kept my eyes averted when loading the screens. So we shall enjoy it together. That's all coming up as this episode of Security Now, episode 1052 gets underway. But before we go too far, perhaps I should say hello to one of our sponsors, if you don't mind, Steve. Hello. One of my favorites. I know, you know, sponsors are like your children. You're not supposed to pick favorites. I happen to like these guys a lot.

[00:06:08] In fact, we might be going to visit them in Orlando next year. I'll tell you a little more about that. Oh, I know. Our show brought to you by ThreatLocker. If you listen to this show, you know ransomware is killing businesses worldwide. But ThreatLocker can prevent you from becoming the next victim using a technology Steve has talked about for years. You were the first person to tell me about zero trust. And you convinced me. I think it was Google that really came up with this concept.

[00:06:37] The idea that, you know, until then, you just assume everybody on your network belongs there. They got in. They must be an employee or somebody. Well, Google realized that's probably not the best policy. Zero trust means no trust. Just because somebody's in your network doesn't mean they belong to your network. ThreatLocker's zero trust platform takes a proactive, and this is the key,

[00:07:05] deny-by-default approach that blocks every unauthorized action. If you don't explicitly say, yes, this person can do that, they can't, which protects you from both known and unknown threats. Zero days. Exploits that have never been seen before, they still don't work because you haven't given them permission. That's why businesses that can't afford to be down for even a moment,

[00:07:31] global enterprises like JetBlue or the Port of Vancouver, trust ThreatLocker to shield them from zero-day exploits and supply chain attacks while providing complete audit trails for compliance. Because if you think about it, you know exactly who did what when. It's all logged, right? As more cyber criminals or who didn't do what when, right? Who couldn't do what when. As more cyber criminals turn to malvertising. This is something to be aware of. You need more than just traditional security tools.

[00:08:02] Malvertising gets bad guys in over the transom lickety-split. Attackers create convincing fake websites, websites that look like popular brands, AI tools or software applications. Then they publicize them on social media and they use hijacked accounts to create them. And then, and this is the most insidious thing, they go to legitimate ad networks. These are all automated ad networks, right? So nobody's keeping an eye on things. And they buy ads.

[00:08:30] In fact, they embed in the malware in the ad. They embed it, which means anybody, even if they're browsing on your work systems and you've got it all locked down, your employees are going to go look at those ads. They look real. Traditional security tools almost always miss these attacks because they're clever. They're using fileless payloads. They run in RAM only. They exploit trusted services. They bypass typical filters. They can't bypass ring fencing.

[00:09:00] That's Threadlocker's innovative technology that strengthens endpoint defense by controlling what applications and scripts can access or execute. Zero trust. Containing potential threats. Even if malicious ads get to the device, they can't do anything. Threadlocker works in every industry. It supports PCs and Macs. They've got great US-based support. They're there 24-7 for you.

[00:09:26] And as a side effect of zero trust, well, it's not incidental. It's important. It enables comprehensive visibility and control. Jack Senesap, Director of IT Infrastructure and Security at Redner's Markets. Redner's uses Threadlocker. He says, quote, when it comes to Threadlocker, the team stands by their product. Threadlocker's onboarding phase was very good. They were very hands-on.

[00:09:53] They were able to help me and guide me to where I am in our environment today. End quote. And I can tell you, Jack's really happy with where he is today. You get unprecedented protection quickly, easily, and cost-effectively with Threadlocker. Visit Threadlocker.com slash TWIT to get a free 30-day trial and learn more about how Threadlocker can help mitigate unknown threats and ensure compliance. That's Threadlocker.com slash TWIT.

[00:10:21] We thank them so much for the support of security now. All right, Steve. I'm ready for the picture. So this is just a wonderful picture. The picture itself tells a story. So let's show the picture first. And then I will explain the headline, the title that I gave it. Let me put the picture up big here so everybody can see it. And I'm going to scroll up. And I'm going to see it with you, everybody at home, for the first time.

[00:10:55] Okay. You better explain this. Oh, yeah. I have to explain it. So first of all, a number of our listeners who received the email with this yesterday morning wrote to tell me exactly where it was and what it was.

[00:11:14] I mean, it's Korean and it's a subway hall near the Korean or attached to the Korean city hall of some city in South Korea. And so what this shows is that somebody wanted to bring, apparently needed to bring a drain pipe down from a particular location in the ceiling to where it goes in the floor.

[00:11:43] But there was a very nice sign in the way. An advertisement, I think. I know you don't want to block an ad, right? No, no, no, no. And so had the pipe simply come down from the ceiling straight down to the floor, it would have like bisected this sign. It would have been in front of the sign, which was very unsightly.

[00:12:07] So instead, an industrious South Korean plumber decided to do a left turn above the sign, go over past the sign, then another left turn or downward turn to go down past the sign. Then he still has to get back to where the drain was originally going to go. So back around again over to the middle of the sign. It's a little like Ms. Pac-Man or something.

[00:12:37] It's like there was a game of this like this where you would route the pipes around. I remember. Yeah. Anyway, so I gave this one in order to put this in the context of our community. How bad must things become before you decide to stop and refactor the code? Now I understand. I like it.

[00:13:01] So refactoring is sort of a term that's come into use a lot more lately. I mean, I grew up coding and I didn't feel like refactoring was a piece of jargon that was commonly used until relatively recently. The idea is, and we have talked about this, code does not evolve well.

[00:13:25] Normally, the way code begins is a coder or a team lay out a specification or have a clear idea of what the code, you know, what the overall project's goals are. And then that gets cast into code. Basically, the architecture of the code reflects those original ideas.

[00:13:52] Then either management gets involved or somebody comes along later and says, hey, what about this green right angle doohickey? You don't have that. And then the coders go, oh, crap. We didn't know we were supposed to, you know, do that.

[00:14:10] So something gets hung on to the existing code, an exception, essentially, to what was originally a probably, hopefully, a beautiful architecture, a structure that well represented that original set of goals. Now we have, you know, a barnacle that's sitting there. And then, you know, time is also not code's friend.

[00:14:37] So time goes by and some new features are made available that the code had no way to anticipate. But, oh, we got to support those. So more barnacles. And before long, you just end up with what can only be described as either a kluge or a mess. Because, I mean, there are consequences to this. But some of those barnacles may have knocked off some other ones.

[00:15:03] Or be, you know what, you might have a barnacle that's already in the way of where another barnacle is. So you can't put that barnacle where you want. I mean, there starts kind of being a tug of war. And you get maintainability problems. You get security problems. You get reliability problems. Bugs start cropping up because of interactions. Oh, and you've got new coders, right? The coders who wrote the original system, they wandered off somewhere or they got promoted or, you know, refactored.

[00:15:32] So anyway, the point is, at some point, you recognize, okay, just stop. We got, you know, what we have no longer represents the reality that is present. So it's time to refactor.

[00:15:53] The idea being, basically, reconceive the underlying structure so that it now supports everything which has been learned, which has happened, which has been added, which time has done. You know, all these things that are hostile to code.

[00:16:13] And so, anyway, the point here being, rather than moving the sign, which might have been the obvious solution. Exactly. Oh, no. The sign, you know what? It's got lag bolts two feet into the wall or something. Or maybe there's some ugly blemish on the wall that the sign is covering up. You don't know what's under the sign. There might be a hole there or something.

[00:16:42] So rather than move the sign, which would have sort of been obvious, no, we are just going to plumb around it. Very much like one of those three stooges episodes. And Paul, remind me, the game Pipe Dream did this, too, or Pipe Mania. Yeah. You know, it's funny. I actually relish refactoring code. I actually love to refactor code. There's something because it's aesthetic, right? I get it.

[00:17:11] Yes. Yes. In fact, I did it yesterday for the benchmark. There was a feature in the benchmark, which I originally wrote in 2008, which was slowing down the end of the benchmark because I switched one of the pages from a bitmap, which I was able to paint quickly, to a rich edit format.

[00:17:38] And this thing ran on Windows 95 originally. Wow. And so I was using my code to populate a rich edit control, which is very much like WordPad. Basically, WordPad is just the rich edit control with a bunch of Chrome window dressing literally around it. In effect, manually draw the screen with code. I was.

[00:18:04] And there is an API that Windows provides called StreamIn and StreamOut that allows you to feed, basically feed content into this. But it's really slow. Microsoft never bothered to optimize it. I don't think probably I and a couple other people ever used it, but it's there.

[00:18:26] The problem is it's so slow that I realized when I was looking at the benchmark again that I was holding down the end, like the announcement of the completion while I was painting this other tab that the user might not even be looking at right now. But I was like holding everything up.

[00:18:50] So the first thing I did was that instead of doing that, I spawned another thread to do this painting in the background. And so I would be able to declare the benchmark done immediately. But then if the user clicked on that tab while I was busy filling its contents, I needed to have a little signage that said, please wait one moment while this tab finishes updating at the completion of the benchmark. So I had that.

[00:19:20] Then one of our testers said, you know, Steve, this always sorts in the way that we have four different sort orders now for the results. And so someone commented, this only this way that this tab is, is the way that the bar graph of the results were sorted when it finished. But I changed the sort order and I'd be nice if the tabular display of all of the details would resort.

[00:19:50] OK, so now that means that I need to be able to come in later. But what if the user changes it while the sort is underway, which is a time consuming process? That means I need to be able to interrupt the ongoing sort and painting of the control, abort it, and then restart it at any time if the user changes the sort order.

[00:20:14] And while I was at it, while the benchmark was underway and I was displaying a bitmap pretending to be the rich edit, which I was able to paint quickly, I gave that all the same features. Well, the point is that as a consequence of all that, I had introduced some sort of a subtle hang in the UI. Well, I mean, because there was a lot of stuff going on.

[00:20:38] I had I was setting semaphores and flags and aborting threads and checking to see whether, you know, what was going on and on all this. And yesterday I just I had that experience you have had, Leo, where I just said, OK, you know, I really want this thing to be done. I'm ready to have it be done. It's been a year. It's really good. I mean, it's gotten so good, but I can't live with the way it is. So I just I scrapped all of that code from the beginning and I rewrote it.

[00:21:07] And it is a thing of beauty now. It is nice. It's like cleaning it up. It's just it feels good. And then it runs faster and it's it looks better. And it's understandable. I was having like I was like, OK, what does this flag do again? You know, because, you know, and I've always said I code so that I can read it more than so that the machine can read it. And that's and in fact, one of our listeners, I don't think I shared his feedback, but it was really he was a neat guy.

[00:21:36] He said, I started programming shortly before the I started listening to the podcast. And at some point in the podcast, you made the comment that you named variables for what they did. Like, you know, are we done with this yet? Was is like the name of a variable of a Boolean.

[00:22:00] And he said, when I heard that my life changed, he said, I was you know, I was naming variables WDGT2. You know, and he said, I could remember what they meant. He said, now I just named them what they are. And he says, life is better. So anyway, you and I both love to code and and refactoring is a necessary.

[00:22:30] I wish you'd do a coding show with me at some point. I would love to be really fun. Yeah, I could definitely get into that. This reminds me that one of the great books on coding by Dave David Thomas, the pragmatic programmer. It just reissued its 20th anniversary. I don't know if you've ever read this, but this is one of those books that has it is full of that kind of thing. Name your variables meaningfully and so forth. And it's really good.

[00:22:56] They've just updated it because it was a little out of date, to be honest, with concurrency and some other things. Yeah, cool. Coding is is an art and it's a science and it's just really enjoyable. And there's you know, I have the luxury as a hobbyist coder. You have a luxury, too, because it's your code. You don't have a company. You get to do it what you want right.

[00:23:20] And so I think a lot of people who are working professionally as programmers don't get to make their code aesthetic. And they probably have rules about how to name variables. And there's all sorts of stuff that probably gets in the way. But we're lucky. We could pursue it as an aesthetic art and science. And for me, I've really learned. I've talked often about what I call switching cost. The cost to to acquire a knowledge of a large code base.

[00:23:49] I now after a year, I am the DNS benchmark. I mean, I and I and I'll tell you when I began, I hadn't looked at the code since 2008. I didn't know how it worked. Right. And many times, I mean, I remember opening it up and going, wait a minute. This supports Windows 95. So, you know, I mean, it was it was jumping through some hoops in order to do that. But I bet it was.

[00:24:16] So so so so for me and everybody who's been following me knows this, I'm going to get this done. It is really going to be done. And then I am going to never probably touch it again. If there are if there are bugs found, I will, of course, fix them because it's going to be commercial as opposed to freeware. But even my freeware, it doesn't have any bugs. This thing doesn't have any bugs.

[00:24:39] So so so for me, because it is so expensive for me to leave and then I pretty much quickly forget, even especially at my age, exactly all of the nuances. I mean, you and I code Leo because it is so difficult. I mean, we do stuff which is really hard. Yeah, it makes your brain work. Yeah, that's what's interesting. Exactly.

[00:25:01] And so that also means that you lose the sharp edge of your knowledge of a particular solution pretty quickly. I mean, it's very complicated. So so my whole point is it is so much better for me to fix something now while I am it than it would be for me to switch over to the next version of valid drive and beyond recall and then need to come back to the benchmark and and do something. It's just it.

[00:25:31] So, you know, for me, switching cost is so high. I want to get it perfected so that I don't need to come back to it. For me, it's just aesthetic. I mean, nobody's using my code. Nobody's reading my code except me. But it's just an aesthetic thing. It's so much prettier when it when it and it's hard to describe it. You know what I'm talking about when it's the shape is right. You know when it's right, you know, and you know when it that's there's something wrong with this. It's too many lines. It's something going on. I can make this prettier.

[00:26:01] And then you then you've got this great satisfaction of you did it anyway. Good on you. And I can't wait to see the DNS benchmark. That's good. There is a beauty to it. You're right. There is. There really is. It's an art. Yeah.

[00:26:41] Okay. digital ID was now ready for me. The hook. The hook was that while the announcement was focused upon using this new digital ID as a replacement for the real ID, which USTSA, you know, airport security guys are now requiring. The announcement also noted the app. The announcement also noted the app's use for age verification. So it's like, whoa, okay.

[00:27:11] Apple kind of slipped this one in under the radar. So at this time, Apple's new digital ID, which is now available. Anyone can set it up. Um, is tied to a passport. Uh, fortunately I happened to have one. Um, and Leo, I originally obtained my first passport when I was joining you in Toronto for appearances on call for help. Um, and, and then that was, uh, that's why I got my first passport.

[00:27:41] And then I later renewed it for the OWASP squirrel presentations, which I gave, uh, in Sweden and Ireland. And it was still current as a consequence because passports last 10 years. So the process that I went through to establish the digital ID was fascinating. Um, the app required me first to aim the iPhone's camera. And this is an iPhone 12. It run, it works.

[00:28:08] It's all the way back to iPhone 11 and forward, but you do have to have iOS 26, the latest iOS on it. So it first asked me to aim the camera at the photo page of the passport, uh, whose image it acquired and processed. Then, oh, I love this. It had me scan the RFID chip that's embedded in the back cover of the passport.

[00:28:37] Uh, the app showed me in, in, in a little onscreen graphic, how, how to position the phone all over the back page of my passport. And it locked onto the RFID chip and made some wonderful, you know, data acquisition noises. While a little, a little blue bar ran across the bottom of the screen, sucking in the digital equivalent of the photo from the passport.

[00:29:04] Uh, presumably that chip contains much the same data, uh, as the visual page, but in obviously digitized format. Um, then the app required me to follow its step-by-step instructions, sort of in selfie mode with a screen showing my face to prove to it that I was alive and that I looked like the picture on my photo in the passport. So I was instructed to position my face in a frame, look at the screen.

[00:29:34] Then it told me to close my eyes until the phone vibrated. So I did that. And after a few moments I'd vibrated and it was satisfied. Then it told me to give it a big smile, which I did. And it bought phone vibrated again. And then it told me to look to the right, which I did. So it was confirming by the day I was able to follow its instructions in real time and that my face was all doing the right thing.

[00:30:01] And presumably it was all doing that whole 3d, you know, IR imaging stuff that, that the iPhone has as well. So, uh, so I, I went through that. A verification was complete and I, I poked around in the app and it, it noticed that, uh, or it notified me that it had finished and then offered to add it to my wallet, which I did.

[00:30:27] So I now have a passport authenticated digital, you know, government issued, uh, identity in a, in this new digital ID that Apple has started offering last Wednesday. Um, their announcement last Wednesday was, was headlined. Apple introduces digital ID, a new way to create and present an ID in Apple wallet.

[00:30:56] And then the tagline was digital ID offers a secure and private way for users to create an ID in Apple wallet. Using information from their U S passport and present their ID. And present their ID with iPhone or Apple watch. I'm going to share two things, uh, uh, Apple's little blurb. And then, uh, uh, uh, a more less Apple centric take from life hacker.

[00:31:22] So Apple said, Apple today announced the launch of digital ID, new way for users to create an ID in Apple wallet using information from the U S passport and present it with the security and privacy of iPhone or Apple watch. At launch digital ID acceptance will roll out first in beta at TSA checkpoints at more than 250 airports in the U S.

[00:31:48] So it's not universal, but at launch time, 250 airports do support this in lieu of real ID. And I've not yet had a need to get a real ID, but I recognize I probably will at some point. Uh, they said for in-person identity verification during domestic travel with additional digital ID acceptance use cases to come in the future. And again, it already talked about age verification as one of those instances.

[00:32:18] They said digital ID gives more people a way to create and present an ID and Apple wallet, even if they do not have a real ID compliant driver's license or state ID. Digital ID is not a replacement for a physical passport and cannot be used for international travel and border crossing in lieu of a U S passport. So the, you know, it's not meant to be a digitalized universally accepted passport.

[00:32:47] It's just a way of using a, an authenticatable U S government document, meaning your passport in order to create a, a working domestic ID that you can use. And presumably, well, and presumably international identity, not for, for, for, uh, uh, uh, passport use, but for age verification. We'll see.

[00:33:14] Then they said, Jennifer Bailey, Apple's vice president of Apple pay and Apple wallet said, quote, with the launch of digital ID, we're excited to expand the ways user can, users can store and present their identity. All with the security and privacy built into iPhone and Apple watch since introducing the ability to add a driver's license or state ID to Apple wallet in 2022. We've seen how much users love having their ID right on their devices.

[00:33:43] Digital ID brings this secure and convenient option to even more users across the country. As they can now add an ID to wallet using information from their U S passport. So that's the right way to think about this. And the announcement finished saying the launch follows the capability for users to add an eligible driver's license and state ID to Apple wallet.

[00:34:09] If users do not have a U S passport to create their digital ID, they can still add an eligible driver's license to Apple wallet for those 13 states that allow that. Okay. So Jake Peterson life hackers, senior technology editor offered, as I said, you know, a little more balanced, less Apple centric view of this.

[00:34:31] He wrote back in 2021, Apple announced a new feature for the wallet app that allowed users to add their driver's licenses or state IDs to their phones. To me, it sounded like the beginning of the end for physical wallets. In reality, it was anything but not only are the applications limited, but even after all this time, only 12 states and Puerto Rico actually support the feature.

[00:34:59] While the rest of us wait for our respective states to get on board, many might have another option for these virtual documents. On Wednesday, meaning last Wednesday, Apple announced digital ID, a new initiative that lets you create an ID in the wallet app using your passport. This bypasses the waiting period for the 38 states that don't yet support these ID features.

[00:35:26] If you have a passport, you can try this feature today. Even if your state supports driver's license and state ID uploads to the wallet app, you'll miss out on features if you don't have a real ID. If you have a passport, however, you can use it instead, which opens up the wallet ID feature to even more users than before.

[00:35:48] Like previous attempts at virtual IDs, however, don't expect to be able to use this digital ID just anywhere you'd normally show documentation. Right now, the main use for digital ID is for flying. According to Apple, digital ID is launching in beta at over 250 airports to be used at TSA checkpoints. Importantly, this feature only supports domestic flights, even though it uses your passport.

[00:36:17] As such, do not rely on your digital ID when flying outside the U.S. You'll still need your physical passport in order to validate your identity. In the future, however, Apple says you'll be able to use this digital ID for other purposes, such as booking flights and hotels, as well as opening new accounts. And it also said all over the screens and age verification. Okay, so clearly we still have a ways to go.

[00:36:46] In California, where Leo and I are, we have digital driver's licenses, as do 11 other states and Puerto Rico. But as we've noted before, support remains spotty. So Jake's point that a passport can provide Apple's digital ID with a verified identity source means that those people who live in a state that does not yet support a digital driver's license,

[00:37:14] but who may have a valid passport, now have an alternative means to robustly identify themselves to their phone, and for what it's worth to use that if you don't have a real ID license, to use that at a TSA checkpoint. Many pieces of any complete solution for online age verification still remain missing. And we talked about that many times. We need the W3C to get going here.

[00:37:42] And, you know, those pieces are big. But we do need to start somewhere. And I was encouraged by last Wednesday's pleasant surprise of Apple's digital ID, since this is likely the foundation which will develop into more in the future. This is a logical place for it to be. You know, from a foundation like this, Apple will be able to generate secure privacy-preserving assertions,

[00:38:11] such as over 18, without revealing a single additional fact about a device's user. And given everything we know about Apple, there is no company whose motivation surrounding the preservation of their users' privacy that I would trust more. I mean, if I were going to trust any entity, it would be Apple. You know, they've made this a feature of, you know, of their own identity.

[00:38:41] So anyway, it exists. Anybody who's got an updated iPhone and who has a passport can give it a try. It's a cool process. Oh, and as I mentioned, I have two phones. Because I saw that I was able to turn, virtually turn off all the annoying aspects of liquid glass, I did update my more recent iPhone to iOS 26. So I'm running it on both.

[00:39:08] Although I've got the reduce motion and increase contrast features selected, those two things basically shut down a lot of the annoyance of liquid glass. Just this morning, I was curious to install the same identity with my passport in my other phone. I went through all the process.

[00:39:32] Oh, and interestingly, it gave me a different set of proof of life motions to go through. This time, I had to open my mouth wide and also look down. So it mixes that up from time to time in order to, you know, keep it interesting and to keep people from being able to spoof this presentation in some means.

[00:39:55] Although I'll bet you that they're using their IR technology to see that you're a 3D and not just some sort of a 2D presentation. Anyway, the point was, once it got all done, I hit a roadblock. It said, whoops, this ID is currently installed in another device. You can only have it in one device at a time.

[00:40:18] So I thought, okay, well, the device I'd installed it in was not the one I carry around with me. So I removed it from the wallet in my older phone. That's sort of my desk phone here. And then I went through all the rigmarole again. And it was different rigmarole a third time. And then it installed this identity into my phone. So for what it's worth, you can't stick it in multiple devices.

[00:40:44] It is very tightly bound to one physical iDevice at a time, probably an iPhone. So anyway, cool that Apple is doing this. And again, you know, I think we're going to, I know we are going to get to a point where we have robust privacy preserving age verification as quickly as we can.

[00:41:11] And it will be, you know, this sort of initiative that like has Apple completely ready to engage that as soon as there's an API for them to talk to. And for what it's worth, there is that true age system. And it is in my Apple wallet as part of my California driver's license. And it does allow me to scan a QR code to do some sort of magic. There's no, nobody's doing anything with it yet.

[00:41:38] And you need to be, you know, in the true age enclave in order to use that. I expect that that will be opening up because we did hear that the W3C was adopting some of the true age technology for their work in progress on online age verification. So anyway. It's kind of interesting that the Apple technique reads the RFID in the past.

[00:42:08] Oh, it was so cool, Leo. Yeah. Yeah. I mean, it's the first time I've seen anything use the RFID. Yeah. And it goes, it actually vibrates as you're doing it, which is great. Yeah. It's really cool. Yeah. So now I'm going to do my live photo and then it's going to ask me to open my mouth. Let's see. It does different things. Sometimes close your eyes. You'll be added to several movements and all angles of your face will be scanned and evaluated by Apple.

[00:42:39] All right. Position your face. Your movements will be recorded. Okay. He's got his eyes closed now. Yeah. And then he'll have you do something else. Yeah. I think it's going to have the mouth open thing. Yep. Mouth's open now. I guess if I was still picture, I couldn't do any of that. Right. Well, and, and right. And it's probably watching you all the time.

[00:43:09] Like, you know, I'll bet you they've done a great, I didn't tell you to look to the right or, or, or to your left. Left. Yeah. Yep. You know, when you're doing the Sora thing, you know, to scan your, your, your digital thing to make AI videos, it takes a picture of you, but it also has you read three random numbers and it's the same concept, right?

[00:43:34] It's like, these are zero proof identity because if it were, if it were a fake, you couldn't read that. Cause you don't know what those numbers are ahead of time. You couldn't read those numbers. So it's kind of interesting. The techniques people are coming up with to, to, to validate this. So, yeah. So I just set up my passport. I already have my driver's license as you know, we set those up a while ago. Yep. Now you better get a real ID. You might be required to board an airplane at some time in the near future.

[00:44:00] Well, this actually is a substitute given that the air, that the airport supports it. 250 airports at launch do. And you still have your, your passport is a real ID. So you don't need a real ID driver's license. Yeah. Exactly. Yeah. Exactly. Okay. So, uh, checkout.com we'll do one more before our next break. A checkout.com says no to extortion.

[00:44:25] Uh, last Wednesday, Mariano Albera, the chief technology officer at checkpoint. Who's been around. He was previously the CTO at Expedia OVO energy and Thomas cook. He posted his company's decision to say no. To the, and we know these people. Well, the shiny hunters extortion gang in his posting headline, protecting our merchants, standing up to extortion.

[00:44:54] Mariano wrote last week. Checkout.com was contacted by a criminal group. Checkout.com was contacted by a criminal group known as shiny hunters who claimed to have obtained data connected to checkout.com and demanded a ransom. And the reason why is the first time.

[00:45:32] The first time we're going to be able to do one more. And then, uh, the first time we're going to be able to do one more. materials at that time. This incident has not impacted our payment processing platform. The threat actors do not have and never had access to merchant funds or card numbers. The episode occurred when threat actors gained access to this third-party legacy system, which was not decommissioned properly. This was our mistake, and we take full responsibility.

[00:46:01] We are sorry. We regret that this incident has caused worry for our partners and people. We've begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We're fully committed to maintaining your trust. We will not be extorted by criminals. We will not pay this ransom. Instead, we're turning this attack

[00:46:29] into an investment in security for our entire industry. We will be donating the requested ransom amount to Carnegie Mellon University and the University of Oxford Cybersecurity Centers to support their research in the fight against cybercrime. Security, transparency, and trust

[00:46:57] are the foundation of our industry. We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy. We are here to assist our merchants in whatever way we can. As always, we are available through your regular checkout point of contact for any further assistance or questions you may have.

[00:47:21] So this is the way to handle a data breach, you know, if there's any way to do so. Mariano's donation is meant to have the effect of backfiring on the attackers. Not only will they not be paid, but the security researchers who work to track them down and take them down will be strengthened by

[00:47:45] receiving the money that checkout.com refused to pay to the criminals. Nice going. Yeah, that makes lots of sense, Leo. Yeah, that's the way to do it. That's a way to do it. As does our next sponsor. Oh, yes. They make a lot of sense. We'll be back with more security now in just a bit. But first,

[00:48:09] a word from BigID, our sponsor for this segment on security now. BigID is the next generation AI-powered data security and compliance solution. BigID is the first and only leading data security and compliance solution to uncover dark data through AI classification. They can identify and manage risk, remediate the way you want, map and monitor access controls, and scale your data security strategy.

[00:48:39] Along with unmatched coverage for cloud and on-prem data sources, BigID also seamlessly integrates with your existing tech stack. That's nice. And allows you to coordinate security and remediation workflows. You could take action on data risks to prevent against breaches, annotate, delete, quarantine, and more based on the data, all while maintaining an audit trail. And it works with everything you work with. Partners include ServiceNow, Palo Alto Networks, Microsoft, Google, AWS,

[00:49:08] and more. You could find it all at their website. With BigID's advanced AI models, this is cool. You can reduce risk, accelerate time to insight, and gain visibility and control over all your data. Maybe that's why Intuit named it the number one platform for data classification in accuracy, speed, and scalability. And I'll tell you what, if you want to think about what company,

[00:49:31] what group, what institution might have the most dark data, I can't think of anybody might have more than the United States Army, 250 years worth of it, right? They used BigID to illuminate their dark, yes, the U.S. Army, their dark data to accelerate their cloud migration, which has been a big priority for the services, to minimize redundancy, and to automate data retention. Imagine the amount of data

[00:49:59] they have to keep track of. This is a great quote from U.S. Army Training and Doctrine Command. They said, quote, the first wow moment with BigID came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data across emails, zip files, SharePoint databases, and more. To see that mass and to be able to correlate

[00:50:26] across those, it's completely novel. I've never seen a capability that brings this together like BigID does, end quote. Wow. CNBC recognized BigID as one of the top 25 startups for the enterprise. They were named to the Inc. 5000 and Deloitte 500, not just once, but four years running. The publisher of Cyber Defense Magazine says, quote, BigID embodies three major features we judges look forward to become

[00:50:53] winners, understanding tomorrow's threats today, providing a cost-effective solution, and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach, end quote. Start protecting your sensitive data wherever your data lives at bigid.com slash security now. You can get a free demo to see how BigID can help your organization

[00:51:16] reduce data risk and accelerate the adoption of generative AI. Again, that's bigid.com slash security now. Oh, also there's a free white paper that provides valuable insights for a new framework. People are just starting to talk about AI Trism. That's AI Trust, Risk, and Security Management to help you harness the full potential of AI responsibly at bigid.com

[00:51:43] slash security now. Get that white paper for free. Bigid.com slash security now. Thank him so much for supporting the important work Steve's doing here at Security Now. Now back to the show. So last year, Apple launched their private cloud compute, and Google is now offering

[00:52:04] a similar solution. Under the banner, private AI compute, colon, our next step in building private and helpful AI last Tuesday, Google said, today we're introducing private AI compute to bring you intelligent AI experiences with the power of Gemini models in the cloud while keeping your data private

[00:52:27] to you. Okay. So I've took out a bunch of the glad handing market speak, uh, and I'm excerpting just the technical bits from their announcement. They said today we're taking the next step in building helpful experiences that keep users safe with private AI compute in the cloud, a new AI processing platform that combines our most capable Gemini models from the cloud. And they just released three, by the way,

[00:52:55] with the same security and privacy assurances you expect from on-device processing. It's part of our ongoing commitment to deliver AI with safety and responsibility at the core. They said AI is evolving to become even more helpful, personal, and proactive. It's moving from completing simple requests to AI that can anticipate your needs with tailored suggestions or handle tasks for you at just the right moment.

[00:53:23] This progression and capability requires advanced reasoning and computational power that at times goes beyond what's possible with on-device processing. Okay. Now, uh, I suspect there's universal agreement about all of that. Uh, the thing that appeals to me about this is that AI inherently requires

[00:53:53] short, but massive bursts of computation, you know, often followed by long periods of quiescence where you're not doing anything with it. You know, anyone who has been around since the days of the mainframe will recognize that this was the original brilliant concept that became known as time sharing. Time, you know, it's now we all just talk about it like there's nothing, but you know, it, it, before

[00:54:20] time sharing that was the, you know, there wasn't any such idea. Time sharing changed the world. The, I, that, and the, the idea of there was that no one needed the full-time services of a massively expensive and very capable mainframe and mainframes was all there was back then. So instead hundreds of people

[00:54:45] could use little time slices of that big machines power. Uh, the result of that was massive efficiency done later. The mini computer, uh, it more encouraged a one-on-one usage mode. Although there were certainly many, many, many computers running time sharing operating systems back then. Um, although those

[00:55:10] really might've been called mini mainframes, what really drove the nail in the time sharing coffin was the micro computer where the costs had come down so far that it no longer made any sense to share that machine. So what developed was a truly personal computer. So the internet, massive connectivity,

[00:55:33] and massive data storage has begun to shift this model back toward the shared massive resources model with cloud computing. It's pretty clear that Microsoft for their part would be delighted to be servicing everyone out of their data centers. And of course that would be terrific right up until everyone suffers a massive service outage as Microsoft and all their cloud dependent users recently did.

[00:56:02] And by the way, uh, it, uh, it, uh, a, a similar outage, uh, took down cloud flare for many hours this morning and all the huge, like global outage at cloud flare. So yeah, the cloud is great right up until it's not. So as I first noted though, everything about the usage model of today's AI suggests that time

[00:56:28] sharing is back. And for exactly the reasons it was first explored in the early 1960s, massive resources used only briefly and intermittently by a great many people. So that leaves us with the question of security. You know, the architecture makes sense, but what about the security? Google wants us to believe

[00:56:51] that this can be every bit as secure as running on device, meaning locally, you know, on some poor overworked array, you know, but that we're probably pouring ice water on, uh, uh, and which is converting into steam. You know, everything we know tells us that it cannot be as secure, right? I mean, it's not

[00:57:17] going to be nothing in the cloud is going to be as secure as on premise by definition. The security models are just not identical. Well, it's in transit. Anytime it's there's going from one point to another. I know. I, I, I, I think that's exactly right. So the question is if it cannot be identical in security, can it be secure enough? Right. The problem, the problem with local compute is that to

[00:57:46] be fast enough, it needs to be super powerful and being cost effective while being super powerful means somehow keeping the darn thing super busy. So the test for Google or Apple or any other cloud based AI, what amounts to a time sharing farm is not whether it's as secure as local because it's not.

[00:58:13] The question is, is it secure enough? So here's what Google, you know, says claims to convince us that there's is, they said, we built private AI compute to unlock the full speed and power of Gemini cloud models for AI experiences while ensuring your personal data stays private to you and is not

[00:58:38] accessible to anyone else. Not even Google. Private AI compute allows you to get faster, more helpful responses, making it easier to find what you need, get smart suggestions and take action. Private AI compute is a secure, fortified space for processing your data that keeps your data isolated and private to you. It processes the same type of sensitive information you might expect to be processed

[00:59:08] on device, meaning locally. Within its trusted boundary, your personal information, unique insights, and how you use them are protected by an extra layer of security and privacy in addition to our existing AI safeguards. Private AI compute is built on a multi-layered system that is designed

[00:59:32] from the ground up around core security and privacy principles. And they have two bullet points. First, one integrated Google tech stack. They said private AI compute runs on one seamless Google stack powered by our own custom tensor processing units, which they call TPUs. World-class privacy and security

[00:59:57] is integrated into this architecture with titanium. That's titanium, Leo. Not iron, not steel, not diamond gold or anything. Titanium intelligence enclaves. Those are TIEs. This design enables Google AI features to use our most capable and intelligent Gemini models in the cloud with our high standards for

[01:00:23] privacy and the same in-house computing infrastructure you already rely on for Gmail and search. Except I don't think these are the same, but okay. Then second, they said no access. Remote attestation and encryption are used to connect your device to the hardware secured sealed cloud environment. Oh, it's sealed.

[01:00:49] Okay. Allowing Gemini models to securely process your data within a specialized protected space. This ensures sensitive data processed by private AI compute remains accessible only to you and to no one else, not even Google. Okay. Now I don't know how they do that because you know, totally the model is being trained

[01:01:17] on plain text, which means any prompting you do has to be submitted as plain text to the model, which means it needs to be decrypted and presented to their GPU farm. So, you know, maybe they've got an electric fence around the data center. I don't know. But does this make sense for whose application? I don't know. It's not

[01:01:46] for me to judge. What I can judge is that the concept of sharing massive AI compute in the cloud makes all kinds of sense. The architecture, absolutely. That's what rings so true here. And I would also note that doing this

[01:02:06] is a, uh, you know, in doing this in a truly privacy preserving fashion is not for fly by night outfits. I would stick with brain with, with brand names here, you know, Apple. Yes, they clearly have invested heavily in this. Google says they have, uh, you know, I would, I would not, they seem pretty

[01:02:32] good with security. I can't think of any breach that Google has ever experienced. Can you? That's true. It's true. We are unaware of them ever having a big data breach. Yeah. Yeah. And so that's, that's, that's significant. You're right, Leo. Um, so, so if you're using cloud AI to quickly compute

[01:02:57] gambling odds for, you know, near real time betting, then I would say it probably doesn't matter who you use, but if you're using cloud AI to form your publicly traded fortune 500 companies, 10 year product development plan, frankly, I'd have a difficult time letting that anywhere near the public internet,

[01:03:21] regardless of what assurances are being made. Uh, but if you need to use a security first host, and I would agree with you, Leo, Google has a great track record, whatever tensor processing units wrapped in titanium intelligence enclaves are, it all sounds really good. Yeah. Yeah. Okay.

[01:03:46] Sounds like we're safe there. So, um, no, so anyway, it's there, uh, AI, you know, uh, Apple in, in introduced their concept. We know that the Apple is going above and beyond by x-raying the, the, the servers that come from offshore to make sure that there's no unknown components that have been added. And, and, you know, I mean, they're, they are really making sure they don't get caught with their

[01:04:14] pants down. Um, we can assume that Google has means of doing something similar. Certainly they got the money to do that. And, uh, you know, there, there is money pouring in and out of all this. There was a really cool article in Vox that I read this morning about, is it, it's something weave, uh, major third party core weave. Yeah. Core weave there, there are a network, um, operations, uh,

[01:04:41] uh, solution. Yeah. And, you know, uh, basically providing the, this service as a third party to these big guys who have all announced they're building their own data centers to compete with core weave. So it's an odd deal, but you know, it's a very money on this. Yeah. Well, the stock market's crashing today because Nvidia was down hugely. So yeah. Fourth day in a row that

[01:05:09] I mean, everyone bubble to pop and I don't want it to cause my entire retirement's based on the everybody is speculating that they're like, whether we are in an AI bubble, uh, which is responsible for all the growth that we've seen recently. So, you know, I, I, I feel like I, I understand why everybody says that I really do, but I also, and you agree with me, I think, think there's real value

[01:05:32] in the stuff that AI is doing. I am, I am. It's amazing. Stunned by it now. I mean, as a research assistant, it is invaluable. One thing in this article that, that caught me off guard a little bit was that the, this, uh, core weave group, they own 250,000 Nvidia GPUs. They are an Nvidia only

[01:06:01] company. They must be more than anybody. That's amazing. They own a quarter million Nvidia GPUs and get this Leo. They used it as, as, uh, collateral to collateralize a massive multi-billion

[01:06:21] dollar loan. It's like cold bars. Okay. Now what I remember about Mark Thompson, when Mark was, uh, cause he was an, uh, an early, uh, uh, cryptocurrency minor, he would, he would fill his garage with racks of mining rigs and he would mine for like, I think it was like a year or year

[01:06:49] and a half until those rigs became obsolete. Right. Because there was constant evolution in the chips. He would then resell these, these G's, I know hundreds of GPUs on the secondary market, make back the money that he had spent and then reinvest in the next generation of, of mining rigs

[01:07:14] and mine for another year and a half. And then again, sell it all off on the secondary market, recapture his capital investment, and then do it again. That's a lot of work. It's a lot of work, but what worried me about core weave is they now have a quarter million aging and soon to be less valuable than state of the art NVIDIA GPUs. Right. So unfortunately,

[01:07:43] you know, the world is moving forward. Microsoft is apparently building their own chips, you know, uh, you know, and, and engineering and, and, you know, in having their own chips in the works somewhere, I don't know who's going to do their fab, but, but anyway, I'm, I thought it was interesting that here they're saying, Oh yeah, we have 250,000 NVIDIA GPUs. Woo. And where we use it

[01:08:06] to collateralize our debt, but, uh, they're getting old. Right. And they're not going to be worth, they're not going to be what you want in five years. Right. It's a interesting, um, yeah. Situation. Just, uh, you know, just don't hit my IRA too hard. Okay. I'm just, well, my problem, and I've said this over and over is that I talked about it last week. None of this making money yet.

[01:08:35] I think it will. I, I, that's the, that's the question. Is there value being created? And I, I think there is. Yes. I think, I think we are, we're in for a reckoning because, you know, there's just too much cash has poured into this speculatively, but long-term, as I said, back when I, when I purchased my 10 megabyte hard drive, we did not know that we would ever have

[01:09:03] a 64 gig dongle that on our key chain. We didn't know how to get there from here yet. We got there anyway. And similarly, we don't know what is going to come next. Uh, everything, every instinct we have tells us that we are going to get there, that there will, that AI will become so cost-effective that it is going to change everything. I think a lot of, uh, of course we talk about this on

[01:09:33] intelligent machines every Wednesday and it's a great subject because it's just, it's, it's happening so fast that it's unknown. But I think that, uh, we had a great conversation with Kelly, Kevin Kelly last week and his opinion is that there will, AI will be embedded in everything. Just as computing has gone to the edge, the next step is for AI to go to the edge and it will be embedded in almost everything we use. And I think that's going to be a very interesting world, right? That's all I have

[01:10:00] to say about. I don't, I don't know if it's good or bad. It's interesting. I used a Claude code the other day to completely refactor my Emacs, a very complicated Emacs setup. And it did a great job. It like understood Emacs deeply and was able to write all this code and do such a great job of it. I was very impressed. And remember that, as I said, what, uh, very early on to me,

[01:10:25] code was the obvious target because it is rigorous. It obeys rules. It's got syntax and semantics and you can understand, it can be understood. And so it, I I'm, I'm glad, I, you know, I mean, I know lots of coders are threatened by AI. I'm not, it's not going to bother me. No, no, no. Yeah. Well, but it's also a mind boggling that you could take something that

[01:10:49] is basically just trained in a massive text. It is a sophisticated prediction model and it can understand code and write code. I don't understand. That's mind bending. It's amazing. Anyway. Yeah. We live in interesting times, Steve. Ah, and I know that our listeners are following along with this

[01:11:12] and are interested too. So, uh, last Wednesday, Google tacitly acknowledged that they had been wildly overzealous with their, with their pronouncement that all Android developers would henceforth be required to register using their real world identities and pay for the privilege before they would be able to publish their apps on the Google play store for Android devices.

[01:11:43] Their first update, uh, reiterated the crucial importance of tightening down the security of Android's apps. Um, but then on the subject of students and hobbyists, they began the backpedaling writing. We heard from developers who were concerned about the barrier to entry when building apps

[01:12:11] intended only for a small group, like their families or friends. We're using your input to shape a dedicated account type for students and hobbyists. This will allow you to distribute your creations to a limited number of devices without going through the full verification requirements. Okay. So that sounds like a

[01:12:38] terrific option to address the needs of those who are not looking or needing to reach a mass of users. Certainly there is that community. Okay. But what about users of, for example, F droid who are advanced and security aware? Google has made a carve out for them to explaining while security is crucial.

[01:13:03] We've also heard from developers and power users who have a higher risk tolerance and want the ability to download unverified apps. Based on this feedback and our ongoing conversations with the community, we're building a new advanced flow that allows experienced users to accept the risks of installing software that is not verified.

[01:13:32] We're designing this flow specifically to resist coercion, ensuring that users are not tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved.

[01:13:54] But ultimately, it puts the choice in their hands. We're gathering early feedback on the design of this feature now and we'll share more details in the coming months. So again, this sounds like the right approach and it solves the F droid dilemma that we talked about previously.

[01:14:16] But, you know, so far Google's primary goal of knowing and holding accountable the developers of apps for Android, that's not disappearing. You know, it's, it's onerous. I get it, but I don't see any other way to deal with this problem, which has admittedly grown out of control. Something needs to change.

[01:14:38] Any developer who wishes to offer apps to the wider Android user base and who doesn't want to subject their potential users to Google's deliberately terrifying advanced installation flow will need to register. That's the way to avoid that. Otherwise, for any app published by an unregistered developer, which Google is now calling them, Google will probably be say something like,

[01:15:08] please acknowledge that you understand that by downloading this tiddlywinks in space game, you may be placing your life and the lives of everyone, everyone you hold near and dear at significant risk. Now, of course, developer registration will prevent those notices, which would probably dramatically increase download counts.

[01:15:32] At some point, it's also conceivable that the Google Play Store may even offer a filter to only show apps from known, which is to say, registered developers. So anyway, they clearly, they faced a bunch of blowback from that, you know, blanket pronouncement that, you know, you've got to be registered to play in our sandbox in the future. And they said, OK, we're going to make that optional.

[01:16:00] But, you know, but if you're not registered, then your user is really going to have to recognize, you know, risk and accept risk and push past a bunch of notifications. And if you only want to publish this thing for a few people, just, you know, as a hobbyist or a student, then, you know, you don't have to do anything. So, you know, that was a good change. And Leo, we're a little bit past an hour in.

[01:16:29] We're going to talk about Windows 11 adding a pass keys API, which two of our sponsors, 1Password and Bitwarden, just happen to both be the only supporters of at launch. That's as opposed to supporting pass keys. It's supporting the API. I'd be interested in what you do with that. Yes, it allows those two to deeply integrate with Windows 11

[01:16:57] as the pass key supplier for the OS. By the way, my passport was initially rejected for some reason. The verification didn't happen, but I did it again. And now I do have my U.S. passport in my wallet. I don't know what I can do with it, but I got it. That's what mine looks like, too. Yeah, it's just a blue card. Yeah, I think what will happen, what I'm guessing is that

[01:17:25] Apple now absolutely positively knows your age. So when there is an API that allows your phone to scan a QR code on a site that says you need to prove that you are an adult. They do say that online, but you have to use Safari, their browser. So there's an API. There's some sort of interaction they've built in. Right. Yeah. Interesting.

[01:17:53] So at that point, there will be privacy preserving. Again, I trust Apple to do this. That's all they would allow. Yeah. This is what we need. We're getting there. Yeah. Speaking of getting there, let's talk about surviving a disaster like ransomware in your business. Our sponsor for this segment of Security Now is a name you should know, Veeam.

[01:18:22] When your data goes dark, Veeam turns the lights back on. Veeam, V-E-E-A-M, keeps enterprises running when digital disruptions like ransomware strike. This is, it seems to me, if you have a business and you're not using Veeam, you're not paying attention. This is something everybody needs.

[01:18:46] Veeam's powerful data recovery options ensure you've got the tool that you need for any scenario. Broad, flexible workload coverage. And one of the reasons, you know, Veeam is more than backup is because your data is in clouds, it's in containers, it's on-prem, it's all over the place and everything in between. But Veeam can handle that, you see? Full visibility into the security readiness of every part of your data ecosystem.

[01:19:15] That's key. And also, it's tested, it's documented. You will have provable recovery plans that you can deploy with the click of a button using Veeam. That's absolutely critical because you don't want to be searching for that button when the system is down. You don't want to load a restore that doesn't work. You need Veeam.

[01:19:42] Veeam is the number one global market leader in data resilience. Just call them the global leader in helping you stay calm under pressure. With Veeam, it's all good. Keep your business running at Veeam.com. That's V-E-A-M dot com. Just look at all the Fortune 500s that use Veeam. Just look at all the companies all over the world. Go to the website. Take a look. And you will see why you need Veeam.

[01:20:11] Don't be another headline. Another company brought down by ransomware. V-E-E-A-M dot com. Data resilience isn't just a buzz term. It is something we all need. Veeam.com could give it to you. All right. Back to the show at hand, Mr. Gibson. Let's talk about passkeys. Yeah.

[01:20:34] This month's November update to Windows 11, which Windows 11 users will probably have, added an API that allows third-party password managers, near and dear to our heart, to deeply integrate with Windows 11. Under the heading Windows 11 expands passkey manager support, here's what Microsoft explained last week. They said Windows is committed to making sign-in simpler, quicker, and more secure for every user.

[01:21:04] Today, we're excited to announce a major step forward in passwordless authentication, native support for passkey managers in Windows 11. This new capability empowers users to choose their favorite passkey manager, whether it's Microsoft password manager or trusted third-party providers. Wait. How do you feel about that, Steve?

[01:21:33] Or whether it's Microsoft's limited password manager or trusted third-party providers. They said it's generally available with the Windows November 2025 security update.

[01:21:47] By partnering closely with third-party managers, we're delivering a more flexible, secure, and intuitive experience for Windows users everywhere, starting with 1Password and Bitwarden today and other passkey managers coming soon. But who cares about them? Okay.

[01:22:08] So I had to smile when I saw that the two top password managers we're affiliated with are the two that are enough on the ball to be participating with Microsoft on this out of the gate. Microsoft's announcement then quoted Travis Hogan, end-user product manager for 1Password, saying,

[01:22:29] Quote, working alongside the Windows security team on the development of the passkey plugin API for Windows 11 has been a rewarding partnership. As the first password manager to offer native passkey support in Windows 11, and actually he's tied for first, we're proud to give customers a seamless passwordless experience inside and outside the browser.

[01:22:53] Together, we've ensured that 1Password and other third-party password passkey providers can deliver a secure, standards-based experience natively on Windows, marking another major step towards a passwordless future. Okay. Now, however, as I said, it appears that 1Password is actually tied for first with Bitwarden,

[01:23:17] since we also have in Microsoft's announcement, Bitwarden quoted, saying, Bitwarden is delighted to collaborate with Microsoft on bringing native passkeys to Windows 11. This partnership enables more organizations and users to embrace passkeys confidently, knowing they can manage their credentials securely on Windows and across all their devices and platforms. Microsoft then asks themselves the rhetorical question,

[01:23:47] why plug-in passkey managers? Which they answer, passkeys are phish-resistant, less vulnerable to data breaches, and easier and faster to use than passwords. With plug-in passkey manager support, you get choice and flexibility. Use your preferred passkey manager natively on Windows. Easy authentication. Create and sign in with passkeys using Windows Hello.

[01:24:16] Passkeys everywhere. Your passkeys are synced between your Windows PCs and mobile devices. They go where you go. They finished with plug-in passkey manager support. Package credential managers can integrate directly into Windows. Users can save, manage, and use passkeys across browsers and native apps. Thanks to the new plug-in provider capability. Setting up your credential manager is part of the passkey creation flow.

[01:24:47] Authentication uses Windows Hello, whether that is a pin, face, or fingerprint. So only you can access your credentials. And then, of course, not to be left out, talking about their own Microsoft password manager, they remind us of its benefits, writing, we've integrated Microsoft password manager from Microsoft Edge natively into Windows. You can do that every time you say it.

[01:25:17] It just comes out.

[01:25:45] Passkeys operations, creation, authentication, and management are protected by Windows Hello. Passkeys stored in Microsoft password manager will be synced and available on other Windows devices, where the user is logged into Microsoft Edge with the same Microsoft account. So arguably, this would be better than a JavaScript password plug-in, right? This would probably be more secure. Oh, yeah.

[01:26:12] And if you didn't have already 1Password or Bitwarden, and you were happy to be contained within the ecosystem of Microsoft's password manager, which, again, you can't use it on an iPhone or Android or elsewhere. You know, you don't get all of that cross-platform support. Then that would be great.

[01:26:40] Essentially, what Microsoft did was they took the password manager that is in Edge, and they wanted to – the passkeys manager that's integrated into Edge, and they wanted to make it available to Windows natively. But the way they did this was to create an API for Windows, which Edge's password manager can now talk to.

[01:27:09] But, being fair, so can 1Password and Bitwarden. So any of those three, Microsoft's password manager supports the API, as does 1Password and Bitwarden. So users get to choose. You know, and they talk about how their solution is able to use Azure's managed hardware security modules

[01:27:36] for synchronization and tamper-proof recovery with Azure's confidential ledger. So there are – you know, Microsoft, of course, is always looking at the enterprise. So there are enterprise use cases where that may be the best solution for that application environment.

[01:28:02] But for all of our users who are not in the enterprise world now, for the first time, after this November – after getting this November 11 – November Windows 11 update, they're now able to link 1Password or Bitwarden directly into Windows 11.

[01:28:22] So I think that they probably recognized that this was going to happen one way or the other, right? I don't think they created the API out of the goodness of their heart. They must have realized that there was no way they could force everyone to use their Windows-centric solution because a lot of us are using Bitwarden and 1Password. So –

[01:28:50] Instead of – what was that other one that Microsoft's suggesting people use? That would be Microsoft Password Manager. Nice. Yes. So last week, Microsoft, 1Password, and Bitwarden published synchronized news releases about this appearance. Here's what Bitwarden themselves said about this.

[01:29:19] They said, now available in beta, the Bitwarden desktop application integrates with Windows 11 for an OS-native passkey experience. That's what this means, is that Bitwarden will be able to provide passkeys natively to Windows 11, which itself has passkeys as part of its structure natively.

[01:29:44] Any passkey created, they wrote, and securely stored in the vault is synced to all your devices, providing you access from anywhere. And that's the big advantage over – get ready for it – when the Microsoft Password Manager – Right. They – Sorry, a little late on the button. This works both ways. They said this works both ways,

[01:30:11] allowing for passkeys already saved in Bitwarden vault to be used in Windows 11 for applications outside the browser and for the use of passkey website logins inside the browser, even – and here it is, Leo – without needing to have the Bitwarden extension installed. Yeah, I think that's probably better, right? Better, yes. Yeah. Yeah.

[01:30:37] Simply select the Bitwarden desktop application when Windows prompts you to choose a passkey provider. So now in Windows 11, there is this new passkey provider interface choice, and Bitwarden, with it installed, will be listed there. And they finished saying, Bitwarden worked closely with Microsoft to develop the Windows component required for this functionality.

[01:31:05] In this beta release, the feature requires installing the desktop application from the GitHub repository. It will later be widely available through the standard desktop application install. And Travis, with 1Password, wrote, After six months in beta and working hard to address all your feedback, today's the day we finally bring desktop-level support for passkeys on Windows 11. No browser? No problem.

[01:31:34] You'll be able to seamlessly sync and manage passkeys on Windows, with 1Password as your credential manager. We're also introducing an improved onboarding flow to enable 1Password passkeys on Windows 11 to better meet you where you are. However, this integration requires the MSIX version of 1Password for Windows. It uses the MSIX.

[01:32:01] That's their latest installer, essentially. It replaces XCs and Zips and MSIs. So it's MSIX. They said, or Travis said, It uses the MSIX technology to better support all the functionality Windows 11 offers, including system-level passkeys. We've already begun to process, the process of migrating nightly and beta users to the MSIX build.

[01:32:31] And we're starting to migrate those on stable today. If you'd like to get a jumpstart, you can download the latest version of 1Password for Windows. He said, Try out the new passkeys features on Windows. Ensure you, or to try out the new passkeys features on Windows, ensure you're on the most up-to-date version of Windows 11, meaning you have to have November's, this month's update.

[01:32:57] Download the latest version of 1Password for Windows here, and I've got the link in the show notes. Enable the passkey feature in your desktop app through the new onboarding prompt, or with settings, autofill, and enabling the show passkey suggestions setting. And he says, You should be redirected to enable 1Password as the system authenticator. If not,

[01:33:23] enable system settings account passkeys advanced options, then enable 1Password using the toggle. As of today, the ability to use passkeys is available to all Windows 11 users. We'd again like to thank the Windows security team for partnering with us so closely in order to get this out the door. Try it out and let us know what you think. So I've got three links in the show notes. One to Microsoft announcement that has links to everything else, then also the 1Password announcement with their links,

[01:33:53] and the BitWord announcement with theirs. So anyway, I know that a lot of people have moved to Windows 11. Lots of our listeners are there. The community is there. And now you can turn this stuff on to get, you know, really, really nice deep integration with Windows. That's very cool. Yeah. Yeah. Okay. I ran across an interesting piece of news,

[01:34:18] which was weirdly tied in with today's topic about cellular technology. Here's what the news that was published reported. This is from an organization that got kicked out of Russia and then all of their staff moved to Europe, where they could continue reporting in an unbiased fashion as they had been. But of course, you can't report in an unbiased fashion if you're in Russia.

[01:34:47] So really good reporting. They said, the Russian Ministry of Digital Development, Communications and Mass Media announced on Monday, that's a week ago, that Russian authorities have begun blocking mobile phones being brought back into the country from abroad for 24 hours in an attempt to undermine Ukrainian drone strikes.

[01:35:13] The ministry said that the measure had been applied to test mode on Monday with mobile internet and SMS messages being blocked for 24 hours for anyone returning to Russia from abroad or for those who have not used their SIM card for three days, 72 hours. They wrote,

[01:36:04] telecom operators, Megaphone and Beeline were already warning their customers about the temporary suspension of their mobile data, but said that Beeline linked to restore access to data services did not appear to work. So still getting the bugs out of this. The ministry said the measure had been introduced to avoid SIM cards being used to navigate Ukrainian drones.

[01:36:28] The cooling off period was first reported by Russian business daily Comersant on Friday, with some experts warning that technical glitches could mean that SMS notifications warning clients about the measure would not arrive, leaving people confused who had just reentered the country why their phone wasn't working. Last month, last month,

[01:36:50] the Russian authorities began blocking foreign SIM cards from accessing data networks and texting services for 24 hours after entering the country to enable them to distinguish genuine foreign SIM cards from those being used to navigate Ukrainian attack drones, according to tech specialist media outlet, so anyway, I thought that was a pretty clever idea. It's likely to have the tendency, not surprisingly,

[01:37:20] to false positive somewhat, but Russian citizens will just need to put up with that inconvenience. You know, it's probably better than getting blown up. And since most in-country SIM cards will be persistently connected to Russia's internal network, the idea would appear to be broadly workable. So the idea of not giving any newly appearing SIM card,

[01:37:46] internet or SMS messaging access for a period of time after it first appears, I would call that pretty clever. What's not clear, though, is how this would prevent an enemy drone from using cell towers for navigation. Navigation and communication would appear to be separate.

[01:38:07] And it was my impression from the reporting that I've seen that Ukrainian drones were using Russia's cell towers to determine their location just by knowing where the towers were and what the relative signal strengths were from the towers. But perhaps there is also command and control happening as well, which is required. You know, you can begin to think of ways to get around this, right? Like, like,

[01:38:37] like how long must you be out of country and out of cell service before the, the, the, the boom drops so that maybe you could take SIM cards, which had been active in country, quickly send them to Ukraine, install the drones and have them come back. I don't know. You can see how it would be a big problem in Russia. They, they are fighting this drone battle and yeah, people are controlling these drones using SIMs. So yeah,

[01:39:06] I could see why they want to do it. And the question, you know, it's like, okay, apparently voice service is not disconnected, only internet and SMS, which makes me wonder why you couldn't switch to a voice channel control. It would take a little cleverness, but you know, could you do data over the voice channel? Yeah, exactly. Like modems used to, right? Yeah. In fact, SMS uses, uh, is data over the voice channel. So yeah, yeah, right.

[01:39:35] So maybe you just identify it differently. Why is that drones lagging so slow? 300 baud, you know, doesn't give us much control, right? Um, Google has filed a lawsuit against a Chinese fishing as a service platform called the lighthouse. The numbers are what caught me up here. The lighthouse is believed to be behind that recent waves. Well, recent waves,

[01:40:04] many recent waves of SMS spam that targeted users across the world, uh, posing as Google, you, uh, the United States postal service and other services. Uh, the service has compromised to get this Leo over 1 million victims across 120 countries. Google is seeking a court order to shut down lighthouses infrastructure.

[01:40:31] And seeking injunctions against 25 identified individuals with the organization. And, you know, and I know this thing is out there every week or so, as I've mentioned before on the podcast, Lori will show me an SMS message and ask me whether it's legitimate, you know, and it's like, no, they never are, but you know, more than a million victims. Oh, I see them every day. Every day. Yeah. It's just, it is a flow. Yeah. Not good. Um,

[01:41:01] okay. A listener who, uh, asked for anonymity. Uh, he, he identified himself as a non, the moose. He said to Mr. Steve Gibson, he said, I needed to stop the most recent podcast and pen a reply because I must respond. I also must disclose that I'm unable to speak for my employer or anyone else, including myself. Okay.

[01:41:30] You can speak for yourself. Speak for yourself. So please refrain from using my name. Oh, okay. I hope that a non, the moose is not his name, but okay. He said, I won't say I'm old, but I have been messing with computers for only five decades or so. I don't remember when I first started listening. I know I can't claim number one, but it was definitely in the low one or two hundreds.

[01:41:57] I'm also a fan of the Twitter network and several of the past and present podcasts. Thank you, Mr. But you, yes, Mr. Moose, but your rant today about the demise of X SLT technology is what made me respond. This is not the first time you talk about some format or another about how bad it is. And that is, and that how great it is to have it finally going away.

[01:42:25] If I had a bingo card with the stuff I work on, it would mostly be filled in by now. Oh dear. Yeah. He says, yes, I understand that interpreters are gaping security holes. I would also like to point out that the metrics, the various companies are not accurate. When you talk about things in closed environments with respect to X SLT,

[01:42:51] I work on an international standards group that has tens of thousands of X SLT, code that converts files of many different formats into an HTML deliverable that describes the exchange model. That is a fairly complex graph. As a side note, there is a significant amount of Leo's favorite language list in play too.

[01:43:18] I bet there is also an ancient code. Yeah. He says, ironically, tomorrow morning, I will be in a meeting where my proposal for a new technology stack will be questioned by folks that started working on this project before X SLT was invented. The refrain I always get is if it works, why change? Sure. Because it will cost millions of dollars and several years to change. In the past,

[01:43:48] you spent several episodes dancing on the grave of flash. It turns out it can create a very good UI in a PDF file. And when Adobe finally pulled the plug, it killed a set of PDF applications that were used to maintain some expensive hardware. Even further back, you had a minor go at CGM where people were hiding malware in graphic files.

[01:44:17] I work in an industry that uses those files for illustrations. And now that they are only uncommon on the web internally, I need nine plus digits to count them, especially when data retention and archiving is needed. I once wrote a tic-tac-toe game to demonstrate the things you could do with a graphics file. If you want a crystal ball of what will be the next thing to be disallowed,

[01:44:45] I could look at the other things I have in my development directories to give you an idea of what the world will probably deprecate next. Keep the content coming. It might be what is keeping me sane. Signed, Anon the Moose. Well, I guess if you've been working this business long enough, you're probably going to work on a few deprecated technologies. I think that our anonymous Moose intends to make the point by way of grumbling about past work

[01:45:14] that occasionally needs to be tossed into the dustbin of history, that the world is changing, and that development is a moving target. That's probably never been more clear than with the relatively sudden rise of AI coding agents. It seems that production coding tomorrow is not going to look anything like production coding today. Leo, we're at an hour and a half in. Let's take a break, and then we're going to continue looking at some other aspects from our listeners.

[01:45:44] Well, maybe this would be a good time to mention Bitwarden, our sponsor for this segment of security now, our favorite password manager. It is a trusted leader in passwords, but also in pass keys and in secrets management. In fact, this is a niche feature, but if you need it, it's great. They recently added the ability to generate and store SSH keys, public and private, within Bitwarden.

[01:46:14] I have all my SSH keys in there. I can very easily access the public keys to put them on a server, keep the private keys secure, which is really important, and I trusted in Bitwarden. Bitwarden is the place to store stuff you just want complete control of. You don't want anybody else to get. Bitwarden is consistently ranked number one in user satisfaction by G2 and software reviews. I mean, sure, it does encryption right. It stores everything securely,

[01:46:43] but if it weren't easy to use, people wouldn't use it. So it's important that it is number one in user satisfaction. More than 10 million users across 180 countries and over 50,000 businesses. Because it's open source, I think Bitwarden's faster moving than almost anybody else in incorporating new important technologies like the ability to store SSH keys.

[01:47:07] They were able to add the Argon2 implementation very quickly to replace a PBDKF and provide a much better memory hard encryption technology. And because it's open source, one of our listeners, in fact, wrote an Argon2 and Bcrypt implementation, submitted the pull request to Bitwarden. They reviewed it.

[01:47:36] They approved it. They said, let's just do one. We don't want to confuse people. They implemented the Argon2. It's in there. It's things like that that make me really appreciate Bitwarden and really appreciate open source. Here's another example. We talk a lot about AI and AI authentication is becoming very important, especially for agents who are going to go out and act on your behalf, right? Bitwarden has launched an MCP server. Now it's early days. It's available on the Bitwarden GitHub along with all the other Bitwarden code.

[01:48:04] What does it do? It enables secure integration between AI agents and credential workflows. Expanded documentation distribution are planned. This is, you know, part of the roadmap, but they wanted to give you a heads up. It's available now on GitHub. This is a secure standardized way for AI agents to communicate with Bitwarden. Users benefit from a local first architecture for security. The Bitwarden MCP server runs on your local machine

[01:48:33] and all those client interactions within the local environment, they stay within the local environment, which minimizes the exposure to external threats, as we talked about. When it gets on the wire, you lose control of it. Not with this. It stays local. It also integrates with the Bitwarden command line interface. One of the reasons I love Bitwarden, works on Windows beautifully, great GUI, works on Mac, great GUI beautifully, but there's also, and there's a GUI for Linux as well, but it also has a command line interface and I really appreciate that.

[01:49:02] You can also, as an end user, opt for self-hosted deployment. That's really local. That is trust no one. You know, you're the one hosting it. I don't do that. I trust Bitwarden. I think they know a lot more about security than I do. So I host my vault on the Bitwarden vaults, but you can also host it locally for greater control over system configuration and data residency. Now, let me talk more about this MCP server. It's MCP, as you probably know, is an open protocol for AI assistance.

[01:49:32] The MCP servers enable AI systems to integrate with commonly used applications. Things like your content repository, like GitHub or GitLab or business platforms, developer environments. They provide a consistent open interface. Driving secure integration with a Genic AI, the Bitwarden MCP server represents a foundational step towards secure agentic AI adoption. You got to keep that credential workflow in there. That's a really important part of it.

[01:50:02] Bitwarden, it just does it right. Take a look at, if you're thinking about it for your enterprise, take a look at this research group, Infotech Research Group's new report, Streamline Security and Protect Your Organization. It talks about how enterprises in the Forbes Global 2000 are turning to Bitwarden to secure identity and access at scale. The report emphasizes the growing complexity of security these days with globally distributed teams and fragmented infrastructure,

[01:50:31] credentials dispersed across teams and contractors on different devices. It is a scary problem. Enterprises are addressing credential management gaps and strengthening their security posture by investing in scalable enterprise-grade solutions like Bitwarden. And if you're thinking of moving to Bitwarden, you'll be very pleased to know that the setup is super easy. It now supports, Steve and I kind of did the manual export

[01:50:59] from LastPass import into Bitwarden. It wasn't hard. It took me a minute or two. But now it supports importing directly from most password management solutions. So that's a very easy thing to move to Bitwarden. And I think this is so important. Bitwarden's open source, which means the source code can be inspected by anybody, regularly audited by third-party experts. If crypto is not open source, you cannot be assured there's no backdoor in it. With Bitwarden, you know it's using good,

[01:51:29] strong encryption technologies and it's private and secure. You can verify that. Bitwarden meets SOC 2 Type 2, GDPR, HIPAA, CCPA compliance. It's ISO 27001-2002 certified. And it's free for individuals forever. So I want you to try it out, especially if you're in a business. I know you all use password managers. My gosh, how could you listen to the show and not? But I bet you Thanksgiving's coming.

[01:51:59] You're going to be called upon by family members. You're going to be challenged. You know, they're going to say, oh yeah, I got all my passwords in this little book here. I keep it in my back pocket. Or, oh, it's all on post-it notes. This is an opportunity. This Thanksgiving, tell your family members, Bitwarden, free forever for individuals, unlimited passwords, unlimited passkeys. It even supports YubiKeys. You know what? Bring a couple of YubiKeys to Thanksgiving.

[01:52:28] Two per person. Distribute them. Maybe put Bitwarden on a USB drive and give it to them. Get started today with Bitwarden's free trial of a Teams or Enterprise plan. Or get started for free across all devices as an individual user at bitwarden.com slash twit. That's bitwarden.com slash twit. Yes. Now, let us go on with the conversation. Steve? Oh, you're muted. Are you muted? Yep.

[01:52:58] Sorry. Yep. Okay. I was typing a little bit while you were. Yeah, yeah, yeah. Thank you. I appreciate that. Matt said, Steve, as you have stated, many listeners likely run their own mail server, as you do, and have ventured into the world of SPF, DKIM, and extra hoops Google and Microsoft require, and all of that work. As you know, having an email domain can have lots that needs done, and a great tool I found in keeping mine running

[01:53:27] is sending an email from the domain you care about to this email address. Check, C-H-E-C-K at D-Mark Lee, D-M-A-R-C-L-Y dot com. He said, even just a blank email to that domain will result in an email that will return to where you emailed from containing all of this information. The header from the domain using RFC 5322,

[01:53:58] D-Mark's pass or fail, D-Kim's pass or fail, alignment, domain, and your selector record, SPF's pass or fail, the alignment and the domain, B-Me, you know, the logo that we talked about. He says, I don't do this on mine, just says no record found, unsure what it would show if you had installed. I do have installed and it showed me my B-Me record. M-T-A-S-T-S and T-L-S-R-P-T, he said again, he says,

[01:54:27] I don't do these, so mine just says record policy not found. Blacklists checks your IP and mail server to see if it has any hit on blacklists. A spam score tells you what Spam Assassin sees as the score of your email and he says, mine is a pleasant zero to one. Or, mine, he said, my zero, I'm sorry, mine is a pleasant minus 0.1. So, and he said, DeMarclay themselves, of course, offers paid tiers

[01:54:57] of email support, but this email check service is completely free and I have a weekly tasker set for myself to send it an email to just see how my email server is doing in the real world. I probably should automate that to a script, that way the email just shows up once a week to me. He said, I also think this tool could be helpful for those who don't run their own server just to see how the provider they are using is keeping their email deliverability

[01:55:27] something of a priority. As we all know, setting up an email server is dead simple. Getting emails to deliver from it is a whole another matter. Matt. So, following Matt's suggestion, I went over to demarkley.com. Be sure to spell it D-M-A-R-C not D-M-A-R-K since that's a different email service. Don't ask me how I know that. It appears that they're wanting to collect business email accounts.

[01:55:57] I took Matt's suggestion and sent email to check at demarkley.com but I didn't receive a reply. Yeah, neither have I. Yeah, I'm wondering why. I figured that I might need to create an account which Matt might not have known since he may have already had a free account. So, I did that, created an email, an alias email for myself, my address at grc.com and then I went to demarkley, created a free

[01:56:26] account under that alias and then I received the expected email confirmation, you know, click here to confirm your email and your free account. Then I sent another check at demarkley.com email from that alias and that did the trick. I received a very nice and thorough analysis of GRC's SPF, DKIM, and DMARC status as well as the GRC's Beamey email

[01:56:56] logo. And for what it's worth, I mean, I spent a lot of time looking around DMARC-y stuff but I didn't run across demarkley. It has, that site, regardless, has a bunch of very nice tests and some advice and educational resources. So to me, it looks like a very reasonable place to learn about DMARC and to test out one's email setup. So thank you for the pointer, Matt. Oh, and

[01:57:25] what matters most to me, as I've said, is that Google now and still blames GRC for zero, absolutely zero, of the spoofed email that is apparently continually flowing into them from people pretending to have sent it from GRC. Since I showed that flat line, which was flat at

[01:57:55] zero in the chart last week, I keep looking at it every couple days. That line is continuing to extend at zero, not a single additional instance of spam, yet I'm sure that the cessation of spam pretending to be from GRC didn't stop just because I updated my DMARC stuff to I set it for strict

[01:58:25] alignment rather than the default, which was relaxed, and it made a lot of difference. So that's mostly what I care about because Google, they own email for all intents and purposes. I guess them and Microsoft. Scott Ulrich, his subject was still getting Windows 10 updates. He said, hey Steve, I made a point on principle of not doing anything

[01:58:55] Microsoft required to obtain Windows 10 updates past October. No storing settings in the cloud, no payments, and I don't have enough Microsoft brownie points to get the extra year. I'm not in Europe, and I still seem to be getting Windows 10 updates see attached. Curious if others are seeing the same. Cheers, Scott. So Scott attached a screenshot of his Windows update

[01:59:24] showing two seemingly contradictory things. His Windows 10 machine, I've got that, I duplicated his screenshot in the show notes for anyone who's interested. His Windows 10 machine is reporting that it's receiving a November 2025 cumulative update for Windows 10 version 22H2 for x84 based systems, and it notes that it's KB

[01:59:52] 507-1959. So this is clearly what Scott was referring to when he noted that his machine was still receiving updates. But then below that, in the screenshot Scott thoughtfully provided, we see the familiar notice, enroll in extended security update with the explanation, your device is no longer receiving security updates. Enroll now to stay protected and productive for another year. Because of course, you know,

[02:00:22] you can't be productive unless you have the latest update. Yeah, that's right. Okay, so what's going on here? The key is that specific knowledge base number, KB 507-1959. It turns out that's not what it might appear to be at first glance. Despite its November 2025 date, it is not providing November's security fixes for that machine.

[02:00:51] Instead, it's repairing a known set of ESU bugs that have been collectively preventing machines from successfully being able to enroll in Microsoft's ESU program, even if users want to. Some of the reports of ESU failure are somewhat comical, since Microsoft will simply report something went wrong.

[02:01:21] Yeah, Microsoft, something's wrong in Redmond, which is not very satisfying for someone who's panicked about keeping their Windows system up to date, and who Leo is desperate to stay productive. It's very important. Oh, my God. I found some terrific reporting on this over on the Guru of 3D site, where its author wrote, Windows 10 users sticking with the older operating system have one remaining

[02:01:50] lifetime for security updates, ESU, Microsoft's extended security updates program. one remaining lifeline, not lifetime. I thought, what is that? Lifeline for security updates, ESU, Microsoft's extended security updates program. It's designed for systems that cannot move to Windows 11 or for users who simply prefer to stay on Windows 10 a little longer.

[02:02:19] ESU provides up to three years of critical security patches, but you need to be enrolled to receive them. Depending on the device, enrollment can be either paid or linked to Windows backup, and it also requires a Microsoft account. The problem is not that everyone could enroll. Over the last few months, a mix of bugs made ESU activation unnecessarily difficult.

[02:02:49] Some users in the EU saw messages claiming the service was temporarily unavailable, even though the program was active. Others, trying to use the free activation method through Windows backup, ran into a generic something went wrong message that stopped the process entirely. These issues appeared right as Windows 10 transitioned out of standard support, which created more confusion during a time when many

[02:03:18] users were already dealing with upgrade decisions. There were also earlier cases where Windows 10 insisted the system had reached end of life even when ESU was active. Wow. The odd part was that this affected not only standard Windows 10 installations, but also Enterprise LTSC 2021 and LTSC IoT 2021 editions, that's the long-term servicing channel editions,

[02:03:48] that still have years of official support ahead of them, yet they stopped getting support. Microsoft really screwed things up here. He didn't say that, that's me. He said Microsoft patched those cloud-based configuration errors earlier, but the enrollment bugs continued to cause trouble. Microsoft has now addressed the remaining issues with an out-of-band update, KB 507 1959.

[02:04:18] This patch fixes the EU enrollment failures and the sign-up errors tied to Windows backup activation. If your device could not enroll in ESU before, this update to Windows 10 is required to restore the system's ability to join the program. On the other hand, if ESU already works on your machine, the patch is not mandatory. It mainly targets systems which were

[02:04:48] blocked by the earlier bugs. With KB 507 1959 now available, all known ESU enrollment problems should be resolved. Windows 10 users who rely on extended support can finally complete the process without running into misleading warnings, regional availability errors, or dead-end messages. Nothing about ESU's requirements has changed, however, but at least the sign-up path is no longer impeded by those software faults. If you're still running

[02:05:17] Windows 10 for the long haul, installing this update is worth doing before attempting ESU enrollment again. It ensures the latest security update window Microsoft offers for Windows 10 actually works as intended, especially important for anyone keeping older hardware in service. So that's what's going on. Microsoft's page for this explained that this out-of-band somewhat emergency

[02:05:46] update, you know, not only fixed these well-known persistent ESU problems, but it also included all the security updates up through October 14th when all non-ESU security updating ended. So I wanted to take the occasion of Scott's note to let everyone know what was going on. This fix, which became available last week, will be automatically installed into all Windows 10 machines and should then

[02:06:15] resolve any remaining ESU enrollment problems. So if that happened to you, make sure, you know, go to Windows Update, make sure that you are as current as you can be. If not, you'll get that last 507-1959 knowledge base update and then you should be able to enroll in ESU and be updated through October or something or other, middle of October of 2026. And, same

[02:06:45] guy, Scott added, P.S. There's been talk in recent weeks about going back and listening to previous episodes. I have some experience with this. I found your podcast in 2019 while I was studying for my CISSP during a career change toward a focus on security. I started listening weekly to all fresh episodes, then went back to start listening from episode one while exercising and working on projects around the house.

[02:07:14] It took several of the early episodes before I realized Leo was the same guy I used to watch in high school on tech TV. Yes, only much better looking now. All been at this for a while. He said, the episode I started with was episode 723 from July 16th, 2019, and I finally caught up with all prior episodes on October

[02:07:43] 28th, 2023. So, four years, three months, and 12 days. That's dedication. To get caught up. He said, while I cannot credit you with achieving my CISSP at the time, I do thank you for keeping me interested in InfoSec and on top of the current topics ever since. Listening to all those old episodes was a great refresher on various IT topics and

[02:08:13] the evolution of security over the past 20 years. You helped to reinvigorate my career in technology, and I've been happy to support you and TWIT as a TWIT member since 2021. Keep up the great work. So, thank you, Scott, for the great backstory, and thanks for sharing it. Larry Wilson said, actually, he quoted me, quote, this is my voice, quote, indeed, only about

[02:08:42] 0.02% of webpage loads today actually use SSLT at all with less than 0.001% using SSLT processing instructions. Actually, that was me quoting Google, and so that's Larry quoting me quoting Google. Larry said, while I agree that those percentages indicate that XSLT is a small minority of webpage loads, I

[02:09:11] have to imagine that the raw number of loads per day, say, is actually tremendously large. Not to say that this changes the security concerns, but I don't interpret those numbers as saying that it sees little use. It seems to me that it says that it's being used that what, hundreds of thousands of times a day? Millions? So, Larry's

[02:09:41] point is that even 0.02% of all webpage loads while representing a small fraction of the total still represents a large absolute value. And, of course, he's right. And, Lisa Lombardo wrote, I hate to admit it, but I'm aware of enterprise product use of XSLT. Thanks for sharing this

[02:10:11] so I can forward this news. Thank you, Lisa. So, as I noted last week, I suspected that within the reach of our listeners would be people who are actually using and still depending upon XSLT or knew of others who were. And when I say still depending upon, that's kind of unfair, right? Because it has been a universally supported standard from the day of its original release. So, there's no reason for anyone to

[02:10:40] not still be depending upon it, except, of course, that everyone listening is now aware that some re-engineering of those existing aging solutions is going to be required. What's going to happen for those who are not listening to this podcast or who are not tapped into some similar source of information is that come next March, you know, next year, there will be a rude awakening to the coming demise of

[02:11:10] XSLT when Google flips the default on switch to off. Suddenly, all those facilities serving pages that are being displayed only thanks to the XML to HTML translation provided by those built-in browser features will fail. Those sites will fail. After some panic scurrying around, everyone will figure out that the switch needs to be flipped back on, at

[02:11:40] which point those still using XSLT will have at most eight months to redesign their perfectly working system for the last couple decades, around more modern solutions. So hearing firsthand from some of our listeners who will be directly touched by this, you know, Google's quite apologetic announcement is a bit more understandable. I mean, they get it that 0.02%

[02:12:09] is still a lot more than zero. John G. Atta said, looks like Apple podcast subscription has doubled. He said, I'm in the business of supporting GRC, not Apple, so I canceled. Suggest you talk about this on your next episode. I wanted to do that. I don't know anything about Apple's podcast subscriptions, Leo, but I don't know if that's anything that that

[02:12:39] Twit has any. No, I don't think this has anything to do with us. I don't know. And I haven't heard it from anybody else. Maybe it's something in John's world. So, John, and anybody who wants to subscribe, you can just go to the twit.tv slash club twit page, and there should be links there to Apple. So let me just check, but maybe Patrick is listening too. Yeah, I think it's four bucks

[02:13:09] for an individual show or $4.99 for an individual show. Huh. Let me see if we have it here. Yeah, single show plans. So if you scroll down at twit.tv slash club twit, go to the single show plans, click on security now, it's $5, and it should be right there, everything you need. So just do that. You'll get a special

[02:13:38] URL to add to your podcast client, which works with Apple Podcasts, and that'll be that. That's a direct way to support us as opposed to, I don't know what Apple is doing. I think he's mistaken. Okay. Yes, I think we would hear about it if Apple doubled the cost. David Lemire said, Hi, Steve. Your recent coverage of AI-related topics caused me to realize I have zero clue how an

[02:14:07] AI shopping agent works. Full disclosure, I've yet to deliberately try out any AI tools. I found this brief article about a Columbia Business School study that offered some interesting insights, a paragraph that stood out, and he quotes it, One of the study's most striking conclusions is how different AI models behave. Claude Sonnet 4, Gpt 4.1, and Gemini 2.5 Flash frequently made divergent choices when asked

[02:14:36] to choose among identical assortments. For example, Claude favored one brand in the fitness watch category nearly twice as often as the other models. These preferences were consistent and measurable, suggesting that each AI model effectively creates its own miniature market with its own demand patterns. Always love your work, David. So thanks, David. His quote from Columbia and the surprise that might first

[02:15:06] be felt causes me to note that with AI, we're no longer working with the sorts of computers that we always have before. With a computer, we assume that there's one right answer. So we might at first be inclined to imagine that asking three different AI models to select, you know, for example, the treadmill that offers the most value for the price, they ought to all converge to the same conclusion.

[02:15:36] But of course, we know better. If we ask three different people the same question, we'll likely get three different answers. Today's AI models are individually handcrafted by their designers, and the modeling data they train on and the details of the way they train and are reinforced may be similar, but in detail, they're all different. And we know that even if they were all given the same identical training data, the differences in their

[02:16:06] internal design and operation would likely still cause them to reach different conclusions, just like those three different people we might have asked. So, yeah, you're going to, you know, the AI models are going to be different and are going to have divergent results. And finally, Simon Zaroffa, a frequent contributor to the podcast's feedback, says, hi, Steve. For podcast listeners who are tech support for

[02:16:35] their non-techie friends and family, it is possible to disable the Windows Run dialogue through group policy or the registry. Okay, now he's talking about that very high profile, very active new phishing attack where people are being asked to hit copy in a captcha, which puts a malicious string on their clipboard, then being told to paste it into the run

[02:17:05] dialogue and hit enter, which then moves them, you know, breaks out of the browser's confinement and containment and allow, and it's like, there's like a huge, it's called the click fix campaign and it's going crazy. So Simon says, navigate to H key current user software, Microsoft, Windows, current version, policies, explorer. If you don't have the explorer key under policies,

[02:17:34] right-click on policies and create new key and name that key policies. Right-click on it on the right side and click new, dword 32 bit value and name it no run, capital N O capital R U N, double-click no run and change the default data to one. And he says, or you can change the value data to two to

[02:18:04] re-enable the run dialogue or delete the no run registry key if you no longer need it. Anyway, he says, users who don't need access to the run dialogue, many don't, for them, this might be an effective solution to the problem of pasting CAPTCHA commands and unwittingly compromising their systems. Of course, this will disable the run dialogue for maintenance purposes to ensure you have access to the tools you might need some other route, like launch a command prompt, but it's unlikely that

[02:18:34] the CAPTCHA instructions would do that. So anyway, I thought that was a cool tip. If you know people who might get themselves in trouble, or you can certainly do this through group policy, as Simon also noted, so the run dialogue could be disabled enterprise-wide to keep people from getting in trouble by using it for things they shouldn't, I thought that was a great tip. So thank you, Simon. And Leo,

[02:19:03] it's time for our main topic. Let's do our last commercial break, and then we're going to talk about global cell phone tracking. And I have checked on Apple Podcasts, and the good news is it is still $5 a month, so I'm not sure what he was seeing, but maybe you should be careful if you saw a double price. That might not be the place to go. Do it through our webpage, would be my recommendation, twit.tv

[02:19:33] slash club twit. We appreciate your support. For a couple bucks more, you can join the whole kit and caboodle, get ad-free versions of all our shows, and get all the fun stuff. Yesterday, we had a lot of fun. We played Dungeons and Dragons in Club Twit in the Discord with Paul Therott as Helm Hammer Bland. Jacob Ward was there, Paris Martineau from the Untitled Linux show, Jonathan Bennett. He was like

[02:20:02] the professor. He had a pipe. I was Sag Bottom the cheerful. Micah Sargent was our dungeon master. We got out of the corn maze. We had a lot of fun doing it. We've got Chris Markworth's monthly photo visit. We got Stacy's book club. Scott Wilkinson's going to do a Q&A, another Q&A, home theater geeks this week. Micah's crafting corners tomorrow. I mean, there's always something going on in the club. And with seven bucks, actually, did I say seven? It is now ten bucks a month. I apologize.

[02:20:33] Ten bucks a month. If you're grandfathered in, if you had a membership at the seven bucks, we're going to keep you at seven bucks. But for new members, ten bucks a month. But you get so much benefit, we think. And you really support what we do. This pays for 25% of our operating costs, including this show and all the shows we do. So, twit.tv slash club twit. We would love to have you. If you only listen to Security Now, fine, join five bucks a month for Security Now. But for a little bit more, you get all of the

[02:21:02] content that we produce here at Twit. Now, let me talk about our sponsor for this segment of Security Now, Delete Me. We use Delete Me because I realize that all of that data, all that information that's about us, that's online through data brokers, is more than just a privacy issue, more than just an annoyance. It's actually a security issue. It's being used by bad guys to target you with

[02:21:32] phishing attacks, with text messages, and it happened to us. We immediately signed up for Delete Me for our management because we don't want to be hacked. If you have ever searched for your name, you know how much personal data is out there for anyone to see. Your name, your contact info, but even more, your social security number. It's not expensive. It's like a buck, a buck 50, your home address, information about your family members. Data brokers compile this

[02:22:02] completely legally because we don't have a good privacy framework in the United States, and they sell it online to the highest bidder, which could be a marketer, sure, but it also could be the government, law enforcement, foreign powers. Anyone can buy your private details. And I don't think it takes much imagination to think about how that could go wrong. Identity theft, those phishing attempts I talked about, doxing, harassment, you really should protect your privacy with Delete Me.

[02:22:32] It's very easy to do. It's a subscription service, it removes your info from hundreds of data brokers, you go there, join deleteme.com slash twit, you're going to sign up, you're going to tell them what information you want deleted, so you do give them some information, they need that to find you and to find the data you want deleted, but this is the key, this is their job, this is their business, they will find your data and delete it, then they will send you regular personalized privacy reports showing what

[02:23:02] they found, where they found it, what they removed, so you know they're working, you don't want a one-time service, that's not Delete Me, Delete Me is always working for you, constantly monitoring and removing that personal information you don't want on the internet, we just got another email from Delete Me for Lisa, saying hey we found some stuff, we deleted it, put it simply, Delete Me does all the hard work of wiping you and your business's information from data broker websites, no one does it better, take control of your data, keep your

[02:23:32] private life private, by signing up for Delete Me, we've got a special discount for our listeners for individual plans, 20% off when you go to join delete me dot com slash twit and use the promo code twit at checkout, the only way to get 20% off is to go to join delete me dot com slash twit and enter the code twit at check out, that's join delete me dot com slash twit offer code twit make sure you get that URL right, there's another delete me, it's a different company in Europe, don't go there, go to

[02:24:02] join delete me dot com slash twit, make sure you put the join in there, offer code twit for 20% off your individual privacy plan, join delete me dot com slash twit, we thank him so much for supporting security now and the vital work that Steve does every Tuesday on the show, all right, now, back to Steve, so, I need to credit

[02:24:31] today's topic to a listener of ours named Amir Katz, who wrote the following, he said, hello, Steven Leo, long time subscriber and spin ride owner, et cetera, this is about a different type of phone hacking, so you may find this story very interesting, and he sent me a link, it's in the show notes, to Bruce Schneier's monthly newsletter, to which I'm sure you subscribe as well, thank you, so I do subscribe, but I subscribe to

[02:25:01] more than I can consume, and when I'm intensely focused on coding, I fall much further behind, so I didn't see Bruce's pointer to this, but I did see Amir's pointer to where Bruce was pointing, so as usual, I'm primarily driven by technology, that's what I find most interesting, and that appears to be the main reason our listeners keep listening and find this podcast worth their precious time, so when I understood the enabling

[02:25:31] technology underlying this global cell phone tracking, I just closed my eyes and shook my head, it was so insidious and obvious in retrospect, and I knew that everyone would feel the same way and would get it as I did, so I've trimmed the original report where I could, to keep its length under control, but it does contain a bunch of interesting detail that I'm sure everyone will find as fascinating as I did. The piece's title is How

[02:26:00] FirstWap, FirstWap is the name of this bad company, FirstWap tracks phones around the world. It's a private company and the article's teaser reads, from telecom providers to a one, get this, a 1.5 million row data set that is of tracking results, here's how we uncovered the reach and tactics of a mercenary

[02:26:30] phone tracking company. Okay, so before I share the edited down version of their reporting, stop for a moment to ask yourself exactly how something that we all take entirely for granted works, how does the global telephone network know where everyone is all the time? Sure, we know that as we roam around,

[02:27:00] our handsets are pinging and logging into various nearby cell towers, and that relative signal strengths are compared to determine which cell tower base station should handle our connection. But what underlying protocol is used, and who exactly has access to it? And more importantly, can anyone anywhere query the instantaneous location of anyone

[02:27:30] else? And by now you know where this is going. You know, we talked about that instance last June, where as a security precaution, senior Iranian officials were deliberately not carrying mobile phones because they were acutely aware of their trackability, but they failed to insist upon the same level of care from their bodyguards who were carrying cell phones and who were,

[02:27:59] you know, being bodyguards in close proximity to their bodies. We assumed at the time that the bodyguards must have been practicing poor personal phone security hygiene and had their phones infected with some form of tracking spyware. But what if the reality is far worse? What if the underlying global cell phone network itself is so poorly designed and so

[02:28:29] insecure that anyone's location can be known at any time by anyone else phone number without the aid of any spyware of any kind, just by virtue of it being a cellular phone? So here's what the team at Lighthouse Reports wrote. They said in the spring of 2024, Lighthouse found a vast archive of data on the deep web.

[02:28:59] It contained thousands of phone numbers and hundreds of thousands of locations from nearly every country in the world. What was it? the data came from a little known surveillance company called First WAP, W-A-P. Headquartered in Jakarta, but run by a group of European executives, First WAP has quietly built a phone tracking

[02:29:29] empire spanning the globe. There have been leaks of telecom network targeting data in the past, but none of them has included this amount of successful targeting of individual phone numbers. The team found material inside the archive for dozens of stories, including how the company's tracking tech was used against Rwandan dissidents targeted in an assassination campaign,

[02:29:58] a journalist investigating corruption in the Vatican, and a businessman being investigated for compromising material. Unlike top-tier spyware firms, such as the notorious NSO group, phone tracking firms like First WAP have flown under the radar. It's possible to view the surveillance industry as a pyramid. At the top are the elite spyware companies selling expensive, highly targeted, and invasive

[02:30:27] tools like NSO groups Pegasus or Intellexus Predator. At the bottom sit the preliminary tools that help enable surveillance operations, OSINT, as in open-source intelligence, and social media scraping tools to develop profiles of targets, internet infrastructure to spin out lists of honeypot domains, and vulnerability vendors trading identified weaknesses in operating systems and other software.

[02:30:57] Sandwiched in between these is the middle layer. firms that track locations or intercept communications at scale like First WAP. With the top of the pyramid grabbing the most attention, the middle tier has managed to operate with less scrutiny despite enabling surveillance on a far broader scale. A key player in this middle tier is First WAP, a little-known phone tracking

[02:31:26] firm headquartered in Jakarta. First WAP's primary product is a surveillance tool called Altimedes, an acronym for Advanced Location Tracking and Detection System. While Altimedes boasts a number of capabilities, its flagship feature is the ability to track a phone number anywhere in the world without leaving a trace on the device. Besides location tracking,

[02:31:56] Altimedes also has the ability to intercept text messages and phone calls, spoof messages and even breach encrypted messaging apps like WhatsApp. Okay, now they rattled off all of that, but the key quote here, its flagship feature is the ability to track a phone number anywhere in the world without leaving a trace on the device. In fact, without anything installed in a device whatsoever. it leaves no

[02:32:25] trace because it's leveraging the fabric of the global telecom system itself to do all the work. As I noted earlier, though it's obvious once you stop to think about it, the global cell phone network somehow always knows where every cell phone in the world is located. It has to in order to work. their report included a snippet from the first

[02:32:54] WAP brochure describing Altimedes. It says, for example, under location tracking, I've got at the bottom of page 18 of the show notes, monitoring and profiling multiple suspects and groups of suspects is a time-consuming and arduous undertaking. Altimedes facilitates location profiling of suspects and groups of suspects to detect and analyze movement patterns, potential meeting

[02:33:24] locations, and times and the like. And then they have this thing called rapid tracks. An organized crime investigation requires the immediate localization of several suspects in order to coordinate a concerted action of law enforcement personnel. Monitoring center staff utilize the Altimedes module rapid tracks for ad hoc location interrogations and forward

[02:33:53] the results directly from rapid tracks to individual law enforcement officers in the field. And under selected key features, quick and simple single mobile number location interrogation, detailed location information on maps and in textual format. Retrieving of its blurries from having a little trouble reading. I can read it for you.

[02:34:23] Retrieving a call forwarding number, mobile phone status, IMSI, IMEI with phone model and brand. Oh my God, et cetera. Location result forwarding by SMS, scheduling of interrogations, scheduling of the phone, interrogations of the location, the location, yeah. Display and download of historical reports, fixed line number location, lookup capability. Yikes. Yep. So they said

[02:34:53] the investigation started with a 1.5 million row archive that basically their log of all previous surveillance operations carried out via FirstWAP's systems. Within the dozens of columns, we found a relatively straightforward taxonomy of data, times and dates, latitude and longitude, phone numbers, country and phone operator names, map URLs alongside fields that were at first glance less obvious such as query methods,

[02:35:24] cell identifiers and other technical details. Numerous internal references in the data set demonstrated its ties to FirstWAP and the Altimedes tool. What was clear was that this was a record of years of location tracking targeting thousands of phone numbers in a vast range of countries. What was less clear at first was how to make sense of this mass of data. On any given day, the data set might exhibit activity in

[02:35:53] dozens of places. On initial analysis, we saw that the majority of targets were tracked a small number of times, while a minority were tracked heavily or regularly. Similarly, while nearly every country in the world featured in the data set, certain regions emerged as clear hot spots, either in terms of total volume of tracking or in terms of number of devices being tracked. We wanted to understand who

[02:36:23] was being targeted, so we ran all of the more than 14,000 phone numbers through a combination of open source intelligence tools which link phone numbers to internet accounts. We mapped the links between numbers and people using Multigo and then connected this to the diachronic tracking data with an interactive user interface developed by a team member, Christo of a bus check. Now, okay, this Multigo

[02:36:53] they mentioned is a potent open source intelligence and link analysis tool which is used to discover interrelationships among people, organizations, websites, domains, social media accounts, IP addresses, breaches, and many other entities. It's able to integrate with Shodan, VirusTotal, Have I Been Pwned, WhoIs, social media lookups, public breach databases, and many cybersecurity

[02:37:22] tools. In other words, it automates all of this legwork now. I wanted to point out this is the kind of tool that now exists which is available to law enforcements and anyone wanting to do intelligence gathering. It is somewhat stupefying to appreciate all the little bits of leakage that we have and the idea that there's something out there able to vacuum it all up and then

[02:37:52] pull it all together and make sense of it. It is a commercial tool used by developers I mean sorry, used by professionals but there is also a free rate-limited community edition that is available. Malt Ego M-A-L-T-E-G-O They said although this automated process surfaced thousands of potential matches between phone numbers and names, we only considered identifications to be valid if

[02:38:22] more than one data point connected the number to a person beyond simply a matching name. A team of more than 10 reporters at Lighthouse and paper trained media spent months building up a high confidence list of targeted individuals which at time of publication included over 1,500 phone numbers. So they had out of that 1.5 million record database they positively and confirmed

[02:38:52] the phone numbers of 1,500 individuals that database represented. Looking for outliers in the data set led us to cases of harm and obvious misuse. Among the most heavily featured numbers we came across Anne Wojcicki co-founder of 23andMe and at the time married to Google's Sergey Brin who was tracked more than 1,000 times

[02:39:21] as she moved across the San Francisco Bay Area. We also detected cases where tracking was automated with time stamps at the same time of each hour as was the case for John Luggi Nuzzi a well-known Italian journalist who had uncovered a corruption scandal inside the Vatican. While we could see who was being tracked we could not determine which Altimedes

[02:39:51] user was carrying out the tracking. So no way to know on whose behalf these individuals were being spied on essentially and tracked just by their phone. The fact that they were carrying a phone with them. No spyware installed. Understanding the broader patterns of surveillance and ultimately their motivation required searching for clusters of targets, networks of people whose tracking was connected in time or space,

[02:40:20] a series of Nigerian election officials for example were all tracked in the city of Bauchi ahead of Nigeria's 2011 election. In 2012 meanwhile the wife of General Faustin Keumba and the bodyguard of Patrick Kariega two founders of the Rwanda National Congress an opposition movement operating in exile in South America were tracked within minutes of one another. Both men had been

[02:40:50] targeted for assassination with Kariega found strangled in a Johannesburg hotel room 18 months after his bodyguard was targeted by altimedes. As we continued to identify phone numbers we homed in on a a portion of the data set that indicated use in customer demonstrations. This data showed how first WAP's executives or middlemen they had contracted to market their technology

[02:41:19] tracked themselves and their associates so the potential clients could experience altimedes in action. In turn these records allowed us to see the movements of first WAP's salesmen as they hopscotched the globe interacting with potential customers who themselves were sometimes exposed in the data either by identity or location. Okay and now we come to the technology answering the question

[02:41:49] what made all of this not only possible but feasible and functional. They said so how did first WAP connect the numbers in the data set to locations and why did some of the data contain blank locations or unsuccessful location attempts. In contrast to top tier software like Pegasus first WAP's altimedes does not infect a phone it operates entirely

[02:42:19] at the level of the telecom network first WAP's late founder Joseph Fuchs realized before almost anyone that by exploiting an antiquated communication system he could trick phone networks into revealing the locations of their users and here it comes signaling system 7 ss7 of course is a

[02:42:49] decades old set of protocols that allows phone networks to communicate with one another routing messages and calls across borders and here comes the phrase we have so often mentioned on this podcast quote it was never designed with security in mind right right just like the internet that came later in the early days it was a miracle that it worked at all yes right

[02:43:18] I was like wow this this stuff works it works it's amazing the fact that it doesn't work securely ah you know there were only four people using it at the time so who needed it wikipedia tells us that they said signaling system 7 is a set of telephony signaling protocols developed in the 1970 70s that is used to set up and tear down telephone calls on most parts of the global public switched network the PSTN the

[02:43:48] protocol also performs number translation local number portability prepaid billing short messaging service SMS and other services the protocol was introduced in the bell system in the United States by the name common channel interoffice signaling in the 1970s for signaling between number 4 ESS switch and number 4A crossbar toll

[02:44:18] offices the SS7 protocol is defined for international use by the Q.700 series recommendations of the 1988 by the ITU-T of the many national variants of the SS7 protocols most are based on variants standardized by ANSI and the European Telecommunications Standards Institute ETSI then Wikipedia adds right on

[02:44:48] queue SS7 has been shown to have several security vulnerabilities allowing location tracking of callers interception of voice data intercept two-factor authentication keys and possibly the delivery of spyware to phones in other words FirstWap the company FirstWap has weaponized and commercialized the world's dependence upon

[02:45:18] the original insecure telephony system which is still in use and will always probably be because it's the lowest common denominator and one of our lessons of this podcast is these things never die so what about improvements to the security since then the report says starting with it was and while operators have moved to more secure

[02:45:47] evolutions with 4G and 5G they still need to maintain backwards compatibility with SS7 this is likely to remain the case for years if not decades to come phone networks need to know where users are in order to route text messages and phone calls operators exchange signaling messages to request and respond with user location information the existence of these

[02:46:17] signaling messages is not in itself a vulnerability the issue is rather that networks process commands such as location requests from other networks without being able to verify who is actually sending them and for what purpose now the request you would get would be merely which cell tower is this phone on right now right the request would be is where is this

[02:46:47] phone number located right but that would be by cell tower right yes the response is by cell tower exactly triangulation which is important yeah okay right so these signaling messages they said are never seen on a user's phone they are sent and received by what's known as gts global titles which are phone numbers that represents like pseudo phones phone numbers that represent nodes in a network but are not assigned to subscribers surveillance

[02:47:16] companies have often leased gts from phone operators yep and use them to send unauthorized signaling messages into other networks benefiting from the fact that the signaling messages appear to be coming from the legitimate operator which owns the gt so you don't even need a stingray you just lease legit gt yep first wap primarily works via

[02:47:46] in-country installations of altimedes in this setup a government client uses altimedes via an ss7 link belonging to a local phone operator the local phone operator provides the gts and altimedes uses these gts to conduct location tracking domestically and internationally but the company also offered customers ss7 connectivity through lichtenstein's national operator

[02:48:15] telecom lichtenstein formerly mobilecom the first wap archive shows altimedes using using gts from mobilecom to carry out hundreds of thousands of location tracking queries meaning from lichtenstein telecom their report then digs into the details of the data they obtained explaining the operation of the various commands that were issued to the global network they addressed the

[02:48:45] question of abuse of the system by writing over time more phone operators have started to install firewalls to counter this type of threat but maintaining them is complicated and spotting this type of location tracking request within the millions of legitimate queries sent to an operator subscribers on a daily basis is challenging the more legitimate the source the more likely it is that the operator on the receiving end of the query

[02:49:15] will let it through examination of the data set shows that a considerable proportion of the activity it was sent via mobile com Lichtenstein which has excellent worldwide links to other networks and operating in the heart of Europe also appears to be a trustworthy traffic source in response to this investigation telecom Lichtenstein formerly mobile com Lichtenstein said it was unaware of any misuse of its network by first

[02:49:45] by we what what how much money are we making from that the phone operator said it had immediately quote suspended its business relationship with first WAP and that quote if the allegations are substantiated the collaboration will be terminated without notice and the company reserves the right to take legal action unquote we have no idea first WAP stated

[02:50:15] in response to this investigation that it has fully complied with the statutory and legal requirements and have also imposed this on our business partners unquote and of course we hear that every time and you ask anybody about malware the company stated that it has quote never attempted to hack an SS7 stack or similar unquote and has not offered or sold our products and solutions to repressive systems or sanctioned countries or

[02:50:45] individuals one and a half million data records to the contrary as for the determination of location they wrote the SS7 commands used do not themselves return longitude and latitude coordinates instead they return a cell ID which is a unique number assigned to a cell in a mobile network and physically designating a tower or base station a complete ID

[02:51:14] is made up of four parts the country the network the area and finally the cell cell IDs can be mapped to a longitude and latitude using proprietary or public databases governments and operators will maintain their own lists while there are also publicly available crowdsourced databases such as open cell ID when first WAP installed a

[02:51:47] so that Altimedes could convert cell IDs into locations but as a brochure we obtained demonstrates the company also offered to facilitate foreign cell ID mapping for its customers thus allowing them to carry out tracking operations abroad in the case of the first WAP sales representative cited in the data the cell ID was successfully mapped and the phone was tracked right next to the headquarters of Nigeria state security services the

[02:52:17] accuracy of such mapping depends on the density of cell towers in an area in urban areas such as Union Square in San Francisco the high world physical context as well as technical issues of signaling queries across the span of this archive it is

[02:52:47] clear that first WAP's database of cell IDs was still evolving this meant that in many cases Altimedia successfully obtained a cell ID but was unable to map it into longitude and latitude in these instances the tool would either provide no coordinates or would provide an estimated center of a much larger area and they conclude their investigative report writing most countries have a legal mandate to carry out

[02:53:17] domestic phone network surveillance the first WAP archive demonstrates however how phone network connections can be leveraged to allow tracking all over the world without authorization from the targeted networks in recent years a number of investigations have explored the ways in which surveillance companies gain access to phone networks to enable this type of tracking lighthouse and its partners have previously written about how SS7 abuses were linked to a number

[02:53:46] of a reporter in Mexico and a crackdown on an activist in nowhere once someone's cell phone number is known which can often be

[02:54:16] accomplished through some digging or a bit of skull duggery it is then possible to track their global movements with a granularity of cell phone towers so wow in past podcasts we've seen how much damage this form of metadata can do even lacking anyiah content for example by simultaneously tracking multiple individuals who may

[02:54:40] be affiliated, it would be possible to determine when and where they meet by monitoring the convergence of their locations. And as individuals, there's likely, well, there's very little that we could do, though I doubt that there's little we really should do, right? It's only very high-profile people who probably have anything to worry about, though the wake-up call here is that no amount of cell phone hygiene will prevent this tracking.

[02:55:10] Nothing can prevent it. It's part of the fabric of the cellular radio-based system we all use today. And I suppose this really does argue for the use of cheap burner phones by an who wishes to have a phone with them while preventing any subsequent forensic analysis of their movements. We don't know how much logging of our locations is being done by the providers in our area

[02:55:37] for after-the-fact forensic data mining. In any event, I wanted to make sure that everyone listening was at least aware that a malware infection is not a prerequisite to being tracked on the internet and that there's nothing Apple or Google or Samsung or anyone else can do to prevent it. You know, rotating Wi-Fi MAC addresses or using ephemeral MAC addresses, you know, associated with a Wi-Fi access point will not help.

[02:56:07] Switching a phone to airplane mode or completely switching a phone's cellular radio off so that it drops from the global cellular network is the only way to disappear. Wow. And tracking really is happening. Again, you've done it again, Steve. I'm going to let you go because I know you've got an appointment, but you got to get out of here. I will take care of the final duties. Sign off for me and then we will be back next week. Thanks, Steve. Bye, everybody. Bye-bye. Thanks, buddy.

[02:56:37] We do security now. As you probably know, I know you're here. We're listening to it. Maybe you might not be listening live every Tuesday. We're right after MAC break weekly. So that's about 1.30 p.m. Pacific, 4.30 Eastern, 21.30 UTC. You can watch it live. Now, if you're in the club, of course, you can watch in the club, Twitter, Discord, but you can also watch on YouTube and Twitch and X and Facebook and LinkedIn and Kick.

[02:57:03] So those live streams, if you want the very freshest live version of the show, are the way to watch. But honestly, who has time? Ain't nobody got time for that. You should probably get a copy of the show. There are many places you can go. Steve has the show at his website, GRC.com, the Gibson Research Corporation. That's where you'll get spin, right?

[02:57:27] The words Best Mass Storage Maintenance Performance Enhancing and Recovery Utility, currently 6.1. He also has a bunch of other great stuff there. In fact, soon, I think the new DNS Benchmark Pro. So that'll be worth a visit. You know, it's fun just to browse around. When you go to the podcast section, he's got menus at the top. Very 1990s looking website. Drop down the menu. You'll see the Security Now show.

[02:57:54] Or just go to GRC.com slash security now. Now, he has a couple of, actually, all the versions he has are unique. He's got a 16 kilobit audio MP3. That's very small. So it's going to be a little bit scratchy. He also has a 64 kilobit audio version. That's a good, perfectly good mono version of the show. He has show notes, which he will send you via email. I'll explain how you can get it via email.

[02:58:23] But he also has them linked there so you can download them. And he does incredible, very detailed show notes. Let's see, 23 pages for today's show. All the links, pictures, the picture of the week, everything you need. The show notes are great. You can read along as you're listening. But he also has transcripts written by Elaine Ferris, a real human being. She works as a court reporter. So she's very quick. And she transcribes those a few days after the show.

[02:58:51] Those transcripts will appear on his website as well, which makes it easy to search for terms, things like that. So that's all on grc.com. If you want to get the email of the show notes, go to grc.com slash email. Now, that page he set up initially to whitelist your email address so that you could send him email. So if you have comments, questions, suggestions, pictures of the week, that kind of thing, you've got to go there first. grc.com slash email. Put your email address in there.

[02:59:20] He goes through some process and validates it. And then you'll be whitelisted to send him email. Otherwise, you're just going to go into the bit bucket. But down below the email address, there are two checkboxes. Unchecked by default. One is for that weekly security now email with the show notes in it. It goes out the day before the show usually. The other, he's only sent out one email ever. It's an announcement email for when he has new products.

[02:59:47] Now, the next time you'll get an email on that address is it's actually pretty soon, as soon as the DNS Benchmark Pro comes out. So go to grc.com slash email. Put your email in there. Get whitelisted and check those two boxes if you want to get those two emails. We have copies of the show at our website, twit.tv slash sn. We have 128 kilobit audio. We also have video. So if you want to watch the show, you could do that there.

[03:00:15] We do also put the video on YouTube, youtube.com slash I think security now. Actually, if you go to youtube.com slash twit, there's a link there to all the show's individual YouTube channels. That's useful if you want to share clips. And this is one show I think people are often sharing clips with friends, family, co-workers, bosses. That's easy to do. Everybody can see a YouTube clip. So if you want to clip something there, that's the place to do that. The YouTube channel for security.

[03:00:45] Now, the most practical solution if you want to listen to every show is just subscribe and your favorite podcast client. Yes, we're an Apple podcast, but also Pocket Casts and Overcast and all the other podcast clients. We even have links at twit.tv slash sn to some of the big ones or simply the RSS that you could paste into any podcast client. That way you'll get it automatically. You could choose the audio footage version of the video version or both. Let's see what else.

[03:01:13] If you're not a member of the club, please join. We'd love to have you. You'll get special URLs for all the shows, including this one without ads. And as I mentioned, it is still $5 to subscribe to this show alone. You can either do that on our website. That would be our preferred method, twit.tv slash club twit, or go directly to Apple Podcasts and subscribe there. I think that's everything. We'll be back next Tuesday. I hope you will too.

[03:01:42] You don't want to miss a single episode. Every single episode, chock full of information you need to know. On behalf of Steve Gibson, GRC.com. I'm Leo Laporte. Thanks for watching. We'll see you next week on Security Now. Security Now.